CSRF VULNERABILTY WHAT?| HACKERSQUE

WHAT IS CSRF 

 

 

cross-site request forgery attacks when creating a website we tend to code the client side and the server side together we build the pages and forms a user will interact with on the client side then build the server side URLs that respond when the user performs an action however requests can be triggered to the server side code from anywhere not just the client side code we write this is one of the most powerful aspects of how the Internet is designed it allows linking between sites but it is also the cause of a common security flaw cross-site request forgery CSRF a CSRF attack occurs when a user is tricked into interacting with a page or script on a third party site that generates a malicious request to your site all your server will see is an HTTP request from an authenticated user however an attacker takes control over the form of the data sent in the request to cause mischief imagine you run the microblogging service Twitter that allows your users to shut their opinions at each other in 140 character sized chunks mal is a hacker who has noticed that posts on your service are created using get requests this means that all the information is carried in the URL of the HTTP request mal modifies the post creation URL to include a malicious payload now he has to find some way to get a victim to visit the URL in their browser Vic is one of your users mal has been able to guess his email address the mal sends ving an email with a very tempting link pointing to the crafted URL when you move it clicks on the link your server interprets the request as Vic writing a post and creates a new item on his timeline this is not the action that Vic intended but he may not quite have noticed what just occurred the post is designed to be enticing enough that other users of your site will click on it when they do they will be tricked in the same way Vic was you now have a worm on your site as each user who clicks the link will open up a new set of potential victims bad news knowing how to protect against forged requests is essential for every web developer click on the link to learn how to protect yourself or move on to the next video