CSRF stands for Cross-Site Request Forgery.
Cross-Site Request Forgery (CSRF) is an attack where a malicious site sends a request to a vulnerable site where the user is currently logged in.
For example:
- You logged in to the site X.com with form authentication.
- The site will return an authentication cookie.
- This cookie will travel along with the user's every request.
- If the user visits a malicious siteY.com, the site may contain an HTML form with a submit button (or, really, any type of button).
- If you click on the button, the form will be submitted to X.com instead of Y.com along with the authentication cookie.
- The hacker can do whatever you want to do using your authentication code and they can post the form by running some scripts.
- This can be so dangerous when the person is logged into, say, a banking application.
To prevent this, you need a token which will be included in the form and which will be validated server side when the user submits the form.
.gif)
0 Comments