(CSRF) cross site request forgery Is a common vulnerability in a Web application, in which hacker/hacker browser victim to generate requests for a website that performs specific actions on behalf of the registered user or victim.
The Web server receives the request and performs the required work on that request, which sounds like a normal demand generated by the user’s browser. Cross site request forgery vulnerabilities of severity can vary widely. Settings can be changed or posted on someone’s part, but the reviewers may end up with a password change account, etc.
The weakness of Cross site request forgery is typically indicated in the list of the top 10 OWASP vulnerabilities in the last few years. It is generally poorly confused by developers who typically lack to understand the root cause of the problem, which allows half-baked solutions to prevent the Cross site request forgery problem.
Imagine a web banking application that transfers money to another user based on the username. The following URL is generated for the same thing:
Thus, assuming that the user is connected and receives the URL above by the Web application server, it will simply transfer $ 500 to the user name, John.
Now is a normal process so a person with malicious purpose creates a web page with the following contents and home somewhere:
<html> <head> </head> <body> <img src=”https://bank.example.com/transfer/ money?username=Attacker&amount=2500″/> </body> </html>
If the user connected (the victim) in the bank application displays the page above, the browser will try to upload the images, which is really a URL to transfer money to the attacker with $ 2500.