Cross-Site Request Forgery

What Does Cross-Site Request Forgery Mean?

Cross-site request forgery (CSRF) is a type of website exploit carried out by issuing unauthorized commands from a trusted website user. CSRF exploits a website’s trust for a particular user’s browser, as opposed to cross-site scripting, which exploits the user’s trust for a website.

Advertisements

This term is also known as session riding or a one-click attack.

Techopedia Explains Cross-Site Request Forgery

A CSRF usually uses a browser’s “GET” command as the exploit point. CSR forgers use HTML tags such as “IMG” to inject commands into a specific website. A particular user of that website is then used as a host and an unwitting accomplice. Often the website does not know that it is under attack, since a legitimate user is sending the commands. The attacker might issue a request to transfer funds to another account, withdraw more funds or, in the case of PayPal and similar sites, send money to another account.

A CSRF attack is hard to execute because a number of things have to happen in order for it to succeed:

  • The attacker must target either a website that does not check the referrer header (which is common) or a user/victim with a browser or plug-in bug that allows referrer spoofing (which is rare).
  • The attacker must locate a form submission at the target website, which must be capable of something like changing the victim’s email address login credentials or doing money transfers.
  • The attacker must determine the correct values for all of the form’s or URL’s inputs. If any of them are required to be secret values or IDs that the attacker cannot accurately guess, the attack will fail.
  • The attacker must lure the user/victim to a Web page with malicious code while the victim is logged in to the target site.

For example, suppose that Person A is browsing his bank account while also in a chat room. There is an attacker (Person B) in the chat room who learns that Person A is also logged in to bank.com. Person B lures Person A to click on a link for a funny image. The “IMG” tag contains values for bank.com’s form inputs, which will effectively transfer a certain amount from Person A’s account into Person B’s account. If bank.com does not have secondary authentication for Person A before the funds are transferred, the attack will be successful.

Advertisements

Related Terms

Latest Cybersecurity Terms

Related Reading

Margaret Rouse
Margaret Rouse

Margaret Rouse is an award-winning technical writer and teacher known for her ability to explain complex technical subjects to a non-technical, business audience. Over the past twenty years her explanations have appeared on TechTarget websites and she's been cited as an authority in articles by the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine and Discovery Magazine.Margaret's idea of a fun day is helping IT and business professionals learn to speak each other’s highly specialized languages. If you have a suggestion for a new definition or how to improve a technical explanation, please email Margaret or contact her…

Related News

dummy_img
Artificial Intelligence

Blockchain vs Deep Fakes: A Fair Fight in the Battle for Truth?

Arthur Cole12 years
dummy_img
Artificial Intelligence

AI Video Game Testing: Is it a Turbo Boost For Quality Assurance?

Alessandro Mascellino12 years
dummy_img
Featured Content

New Low Market Cap Cryptocurrency Green Bitcoin ($GBTC) Begins Presale, Raises $275,000 In 24 Hours.

Alan Draper12 yearsEditor-in-Chief
dummy_img
Blockchain

Experts Roundtable: What DEXs Must Do Better for Adoption

Iliana Mavrou12 yearsCrypto Writer
dummy_img
Artificial Intelligence

AI Alliance: More Than 50 Organizations Cast Wide Safety Net

Nicole Willing12 yearsTechnology Writer
dummy_img
Featured Content

Chimpzee (CHMPZ) Will Soon End Its Presale, Enter Now Before Inevitable 10x Growth After Exchange Listing

Alan Draper12 yearsEditor-in-Chief

Popular Categories
Show All

Antivirus
Antivirus
Artificial Intelligence
Artificial Intelligence
Audio
Audio
CRM
CRM
Cryptocurrency
Cryptocurrency
Gambling
Gambling
Gaming
Gaming
HR
HR
Investing
Investing
Laptops
Laptops
Network
Network
Password Managers
Password Managers
Project Management
Project Management
Spy
Spy
VoIP
VoIP
VPN
VPN