Introduction to Cross-Site Request Forgery (XSRF)

In this chapter, you will be introduced to cross-site request forgery.

If XSS is a case of a browser trusting JavaScript from the server too much, XSRF is a case of a server trusting a browser too much.

Let’s go back to our example of a blogging site. Somehow there must be a browser request that saves a blog post to the server. Suppose the blog posting request looks something like this:

POST /blog/create HTTP/1.1
Host: www.romansjournalingsite.com
Accept-Encoding: gzip, deflate
Accept: */*
Cookie: sessionid=Re9ljf4uObKk9mSFqBlusxamUKw
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 57
body=It+was+the+best+of+posts.+It+was+the+worst+of+posts.&submit=Publish

In a naive web application, that could be all it takes to publish to a hosted blog—a POST request with a logged-in sessionid cookie. Let’s see how an attacker or an administrator of an evil website could use this for nefarious purposes.

Suppose I run a malicious website. I ostensibly serve up pictures of adorable kittens playing with yarn. But surreptitiously, I also serve up malicious content like this:

Get hands-on with 1400+ tech skills courses.