|
When visiting a Web site, the HTML code behind the scenes is capable of making a Web browser request third-party content from any other Web site. Most of the time these requests are for images, Cascading Style Sheets, JavaScript, or pieces of other Web pages. However, nothing prevents a malicious Web page from forcing a victim's browser to make an unintended request to any other Web site. This is where the name cross-site request forgery (CSRF or XSRF) comes from.
Using CSRF, if a victim happens to be logged into their bank site, an unintended request could force them to wire transfer out their own money. Or, in another context, CSRF could cause a user to post a derogatory comment on their blog or someone else's. Worse still, it could force a hack another Web site or download illegal content. The possibilities are endless.
To Web servers, one request looks more or less just like another. The challenge of this particular issue is detection. The unintended request is legitimate (not hacked up), the user is the right user (authenticated), and the request is being made directly to the real Web site (no man-in-the-middle). The only problem is the victim did not intend to make the request, but the Web server doesn't know that. And the scary part is the vast majority of Web sites are vulnerable with users having very little ability to defend themselves against CSRF.
More information:
|
