Is comparing a session value and a hidden form enough to prevent CSRF?

So the "typical" CSRF protection method is storing a nonce in a session and in a hidden form element. Is it possible for an att开发者_如何学JAVAacking website to first scrape the target form using the victim's session, getting the hidden form token, and then send the token in their own form element? Testing this myself, it validates. I am just curious if it is possible for a bot to scrape the page and obtain the nonce.

If this is possible, then how can you protect against this type of attack?

If the attacker could scrape a victim's page, he wouldn't need to use CSRF, because he could basically do anything with the user's data. This is actually called session hijacking and there are other ways of defending the user from it.