I've seen some websites use CSRF tokens in the cookie field like
and not as a separate header or as part of POST data. My question is, when a attacker's website makes a CSRF request with those cookies to the victim's website, how is CSRF token useful here? Doesn't CSRF token go with the cookie!? I'm confused.
Yeah, the cookie will be sent automatically with all requests by the browser. So only using a token in a cookie defeats the whole purpose of CSRF defence.
So... Are all sites where you see CSRF tokens in cookies vulnerable? No. Most likely, the value in the cookie is included somewhere else as well, e.g. in a header or hidden form field. This is known as the "double submit cookie" pattern, and it has the advantage that it requires no server state. As usual, OWASP got you covered:
When a user authenticates to a site, the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user's machine separate from the session id. The site does not have to save this value in any way, thus avoiding server side state. The site then requires that every transaction request include this random value as a hidden form value (or other request parameter). A cross origin attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy. This means that while an attacker can force a victim to send any value he wants with a malicious CSRF request, the attacker will be unable to modify or read the value stored in the cookie. Since the cookie value and the request parameter or form value must be the same, the attacker will be unable to successfully force the submission of a request with the random CSRF value.
External links referenced by this document: