Cross Site Request Forgery ( CSRF ) also known as XSRF is a type of attack where the attacker tricks the user's web browser. to be more specific, lets take an example..
Lets say my friend jack has an account at www.bank.com, and i want to delete his account from bank.com's server.
I have no clue what is username or password is, but still i can do this by tricking his browser to do so.
lets say the account removal link is http://www.bank.com/delete.php?confirm=yes
Now all i have to do is write the account removal link inside an image tag like this:
<img src="http://www.bank.com/delete.php?confirm=yes " />
when jack loads the page where i have written my image tag, his browser
thinks that the link inside the image tag has been created by him
itself and submits it to the server. And if his session is active at
bank.com, his account will be removed.
Thats a simple example of what Cross Site Request Forgery is.
No comments:
Post a Comment