Cross-site request forgery (CSRF/XSRF)

CSRF ("sea-surf"). Example:
/* from http://malicious-site.com/index.php */
<html>
    <body>
        <img alt="you have just been signed out" src="http://example.com/signout" />
    </body>
</html>
What's going on? You just requested an image and it signed you out of example.com. How does it work? You visit a malicious site that has the tag. Technically you are requesting the sign out page and provide the proper authentication (that is, without crossing domains). Because you requested the page, you have been signed out. More The tag is one example. A form and data can be submitted. An iframe can be requested (<iframe src="http://example.com/signout"></iframe>).

Comments

Leave a Reply