...
/Cross-site Request Forgery (CSRF)
Cross-site Request Forgery (CSRF)
In this lesson, we will discuss Cross-site Request Forgery, how the attack can occur, and what steps can be taken to prevent it.
What is CSRF?
Cross-site Request Forgery (CSRF), is an attack that tricks a web browser into executing an unwanted action in an application after a user logs in. It allows an attacker to force a logged-in user to act without their consent or knowledge.
In a CSRF attack, the attacker cannot access the data because the attacker does not have access to the response. This can be devastating, as the attacker can force the user to transfer funds from a banking website or share sensitive information.
How does CSRF work?
To perform a CSRF attack, a few conditions should be met.
-
Cookie-based session handling – The user has already logged in into the website that is being attacked, and the website relies on cookies to identify the user.
-
No unpredictable request parameters – The requests that perform the malicious action do not contain any parameters whose values the attacker cannot determine or guess. For example, when tricking a user into transfering funds, the attacker must not be required to know the password of the user.
CSRF attack using a GET
request
Let’s look at an example of a CSRF attack using a GET
request. ...