Posts

Showing posts from February, 2013

CSRF - Cross-site request forgery

Image
Cross-site request forgery abbreviated as CSRF also known as XSRF. (X represents Cross) whereby unauthorized commands are transmitted from a user that the website trusts.
Why the name XSRF?
Well lets no argue about the name. According to me the name has it origin in XSS (Cross Site Scripting) which cannot be abbreviated as CSS(Cascading Style Sheets). Now why does the website trust it  ?
Well id does so as hackers exploit the trust that a site has in its authorized users or in other words his SESSION. The following Examples will make it clear how CSRF works. Suppose a bank site if CSRF vulnerable.
Now lets assume that User A wants to transfer X amount of money to User B and the form he has to fill out contains the following fields AmountUser B's account number (lets assume it is 1234) and it sends a POST/GET request to a script(lets call it http://studbank.com/transfer.php) which checks for USER A's session and then transfers the amount according to the GET/POST variables.
Now l…