Broken Access Control

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious site sends a cross-origin request to a trusted site while the user is authenticated at the trusted site. A CSRF attack works when the browser request includes credentials associated with the trusted site, such as the user's session cookie. If the user is authenticated at the trusted site, the trusted site can’t distinguish between forged and legitimate requests sent by the victim. CSRF attacks fall under the Broken Access Control OWASP category, ranked number one on the OWASP Top Ten.

The GET example

Let's say Sally is a customer at https://bank.com. After they log in, a session cookie is set in their browser. The bank uses GET requests to initiate transfers of money between accounts. The authenticated request to transfer $1,000 from Sally to Fred might look something like GET http://bank.com/transfer?acct=fred&amount=1000. This request only works after Sally has logged in and their session cookie has been set.

A hacker then sends Sally an unsolicited email with this HTML content:

<a href="http://bank.com/transfer?acct=fred&amount=1000">Click here to claim your prize!</a>

If Sally clicks the link while still actively logged in to their bank, an authenticated request to bank.com will be made and their funds will be transferred.

<img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="0" height="0" border="0">

If the above code is included in the email instead, Sally doesn’t even have to click anything. The request will be made simply by loading the email, and if the cross-origin request is sent with credentials, their funds will be transferred.

The POST example

Get hands-on with 1400+ tech skills courses.