How does this Man-In-The-Middle attack work?

Question

The Django documentation on its CSRF protection states that:

In addition, for HTTPS requests, strict referer checking is done by CsrfViewMiddlewar

Answer 1

Here's a very detailed description of one-such MitM attack. Below is an abridged and simplified adaptation:

Assume that:

• the attacked site is foo.com
• we (the attacker) can MitM all requests
• some pages are served over HTTP (e.g., http://foo.com/browse)
• some pages are served over HTTPS (e.g., https://foo.com/check_out), and those pages are protected by a log-in cookie (w/Secure set). Note that this means we cannot steal the user's login cookie.
• all forms are protected by comparing a form parameter with the csrftoken cookie. As noted in the django docs, it's irrelevant to this attack whether they are "signed" or just random nonces.

Grab a valid CSRF token

• just read the traffic when the users visits http://foo.com/browse
• or, if the tokens are form-specific, we can just log into the site with our own account and get a valid token from http://foo.com/check_out on our own.

MitM to force attacker-controlled POST to HTTPS page with that token:

Modify an HTTP-served page (e.g., http://foo.com/browse) to have an auto-submitting form that submits to an HTTPS POST end-point (e.g., http://foo.com/check_out). Also set their CSRF cookie to match your token: