CROSS SITE REQUEST FORGERY (CSRF/XSRF)-page-1
Cross Site Request Forgery is a web based attack, in which an attacker could launch an action on behalf of an authenticated user, without the user “actually” performing it. This vulnerability According to OWASP, “A CSRF attack forces a logged-on victim’s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim.
The malicious code is often not on the attacked site. This is why it is called ‘Cross Site’. ”
Let us understand it more by taking an example :
- Bob is logged on to a shopping website named for example http://myshoppingwebsite.com.
- Alice, is the attacker, knows that Bob uses myshoppignwebsite.com. Alice then finds out that there exists a CSRF vulnerability on the website.
- Alice then crafts a URL, similar to http://myshoppingwebsite.com/completepayment.php?pid=32.
- Alice then embeds the URL in an iframe to a forum which bob visits.
- As soon as Bob visits the forum, the payment is done by Bob’s account on that shopping website.
This is an example of a cross site scripting attack on a e-commerce shopping website.
A Cross Site Request Forgery tricks a authenticated user (in most of the cases) to send a request to the web application in order to perform malicious action chosen by the attacker. The request originating from a third-party website would look exactly same as it would have been generated by a legitimate source, and it will be granted the same privileges. Unlike XSS, which exploits the trust a user has on the website, CSRF exploits the trust, a user has on his web browser.
Lets take another exampleof a banking website, on which the user is already authenticated.
Now, the banking website, would perform specific actions, only if requested by a user who is authenticated.
The attacker sends a link
to the victim using Social Engineering, and makes him to click on it. Nothing in particular happened as seen by the victim. But in real, the victim, made a request of transferring $20000 from his account to the attacker’s account.