Antiforgery Validation: Preventing XSRF/CSRF Attacks
In this lesson, we will learn how to protect our application from malicious sites that might force legitimate users to submit dangerous requests,
What is a CSRF attack
Forms can also be submitted to different websites, so a malicious site, say www.fake.com
, might contain a form that submits data to the user bank website. Data might be contained in hidden input fields so the user can’t see them. Those data might encode a bank transfer to the owners of the www.fake.com
malicious website.
The user might be convinced to submit the form with a fake message on the submit button, such as “Download your free book about…” In fact, that button submits the form with the bank transfer, and the bad news is that if your browser already contains a not-expired authentication cookie of the bank websites it will be sent and it will authenticate the bank transfer. Cookies are associated with target websites, so if the form is submitted to the bank URL, all cookies associated with the bank websites will be sent together with the submitted data. Therefore, authentication cookies are also sent to the bank website granting the operation specified in the form.
Similar attacks are called Cross-Site Request Forgery attacks, which are abbreviated CSRF or XSRF. The diagram below summarizes the attack.
Get hands-on with 1400+ tech skills courses.