...
/Introduction to Cross-Site Request Forgery (XSRF)
Introduction to Cross-Site Request Forgery (XSRF)
In this chapter, you will be introduced to cross-site request forgery.
We'll cover the following...
If XSS is a case of a browser trusting JavaScript from the server too much, XSRF is a case of a server trusting a browser too much.
Let’s go back to our example of a blogging site. Somehow there must be a browser request that saves a blog post to the server. Suppose the blog posting request looks something like this:
POST /blog/create HTTP/1.1
Host: www.romansjournalingsite.com
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: sessionid=Re9ljf4uObKk9mSFqBlusxamUKw
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 57
body=It+was+the+best+of+posts.+It+was+the+worst+of+posts.&submit=Publish
In a naive web application, that could be all it takes to publish to a hosted blog—a POST request with a logged-in sessionid
cookie. Let’s see how an attacker or an administrator of an evil website could use this for nefarious purposes.
Suppose I run a malicious website. I ostensibly serve up pictures of adorable kittens playing with yarn. But surreptitiously, I also serve up malicious content like this:
<html lang="en"><head><h1> Malicious site </h1></head><body><form action="http://romansjournalingsite.com/post/create" method="POST"><inputname=bodyvalue="Arbitrary Attacker-Controlled Content. I love evilxsrf.com"/><input type=submit id=submit name=submit value=Publish />');</form><script>document.getElementById('submit').click();</script></body>
What does this do? It creates a form with the action we just saw when we looked at the romansjournalingsite.com request that creates a new blog post. Additionally, the form is prepopulated with content that will create a blog post that says Arbitrary Attacker-Controlled Content. I love ...