The CSRF ("cross-site request forgery") protection token must only be valid for a specific account (or, better yet, a specific session). An attacker who wanted to discover a victim's CSRF protection using curl
or similar would need to know the victim's session token. (Of course, if they have the session token, they can just make requests directly without bothering to send them across sites.)
CSRF is an attack where I forge requests in a user's session by using my site to tell the user's browser to send a request to your site (which is hosted on a totally different server and domain name, of course, thus "cross-site"). It works, even though I (the attacker) don't know the victim's session token, because the victim's browser automatically sends all the cookies (for your site) with any request to your site, even if the request was made because of the content of my site.
I never see those cookies, though; they go straight from the victim's browser to your server, leaving mine totally out of the loop. I can't get them using JavaScript or similar, either, because of the same-origin policy. Since I don't have the session cookie, I can't add it to curl
. Without that, I can't request the CSRF protection token that is valid for the victim's session, so if your server uses CSRF protection correctly, it won't trust the forged requests.