What is Cross Site Request Forgery (CSRF)

News

Web Server Security

Phishing

Database Security

Application Server Security

Library

Vulnerability Archive

Secure Development

Web Services

Pen Test

AJAX

Application Firewalls

Main -> Questions

TOPIC'S

Advertising

Old News

About

Resume

Contact

FAQ

Irc

Links

Books

Demos

Papers

Downloads

Advisories

Contributions

Security Services

Submit News

Syndicated News

Hosting generously provided by

www.mv.com

What is Cross Site Reques Forgery?

Cross Site Request Forgery (also known as XSRF) works by exploiting the trust of a users intentions. Site tasks are usually linked to specific urls (Example: http://site/stocks?buy=100&stock=ebay) allowing a certain action to happen when visited by the user. If a user is logged into the site and an attacker tricks their browser into making a request to one of these task urls, then the task is performed and logged as the logged in user. Typically you'll use Cross Site Scripting to embed an IMG tag or other HTML/Javascript code to request a specific 'task url' and if the user is logged in it will get executed without their knowledge. These sorts of attacks are fairly difficult to detect potentially leaving a user debating with the website/company as to whether or not the stocks bought the day before we initiated by the user after the price plummeted.