What Is CSRF?

CSRF stands for Cross-Site Request Forgery.

Cross-Site Request Forgery (CSRF) is an attack where a malicious site sends a request to a vulnerable site where the user is currently logged in.

For example:

  • You logged in to the site X.com with form authentication.
  • The site will return an authentication cookie.
  • This cookie will travel along with the user's every request.
  • If the user visits a malicious siteY.com, the site may contain an HTML form with a submit button (or, really, any type of button).
  • If you click on the button, the form will be submitted to X.com instead of Y.com along with the authentication cookie.
  • The hacker can do whatever you want to do using your authentication code and they can post the form by running some scripts.
  • This can be so dangerous when the person is logged into, say, a banking application.

To prevent this, you need a token which will be included in the form and which will be validated server side when the user submits the form.

Post a Comment