Cross-site request forgery (CSRF) is a type of website exploit carried out by issuing unauthorized commands from a trusted website user. CSRF exploits a website’s trust for a particular user's browser, as opposed to cross-site scripting, which exploits the user’s trust for a website.
This term is also known as session riding or a one-click attack.
A CSRF usually uses a browser's "GET" command as the exploit point. CSR forgers use HTML tags such as "IMG" to inject commands into a specific website. A particular user of that website is then used as a host and an unwitting accomplice. Often the website does not know that it is under attack, since a legitimate user is sending the commands. The attacker might issue a request to transfer funds to another account, withdraw more funds or, in the case of PayPal and similar sites, send money to another account.
A CSRF attack is hard to execute because a number of things have to happen in order for it to succeed:
For example, suppose that Person A is browsing his bank account while also in a chat room. There is an attacker (Person B) in the chat room who learns that Person A is also logged in to bank.com. Person B lures Person A to click on a link for a funny image. The "IMG" tag contains values for bank.com’s form inputs, which will effectively transfer a certain amount from Person A’s account into Person B’s account. If bank.com does not have secondary authentication for Person A before the funds are transferred, the attack will be successful.
Synonyms
session riding, one-click attack
Share this Term
Tech moves fast! Stay ahead of the curve with Techopedia!
Join nearly 200,000 subscribers who receive actionable tech insights from Techopedia.
Latest Articles
By: Brett Haines | Vice President, Atlantic.net
By: Devin Partida | Editor-in-Chief for ReHack.com
By: Hardik Shah | Tech Consultant at Simform
By: Greg Jehs | Director of Enterprise Engagement at Meridian IT
