Communiquez avec les autres et partagez vos connaissances professionnelles

Inscrivez-vous ou connectez-vous pour rejoindre votre communauté professionnelle.

Suivre

What is (CSRF) ?

i hear CSRF alot but i have no idea about it can any one explain it shortly

user-image
Question ajoutée par Zaid Rabab'a , Software Development Team Leader , Al-Safa Co. Ltd.
Date de publication: 2013/04/09
Utilisateur supprimé
par Utilisateur supprimé

According to Wikipedia a CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

Hazem Salama
par Hazem Salama , Senior Member of Technical Staff , Verizon Communications

Well, to put it simply, it is when unauthorized requests are being made to a web server pretending to be by some authorized users.
Most web developers would check to see if the request came from an authorized browser (via cookies) but not who initiated the request.
Hackers can simply assemble some HTML and convince users to click on it which will initiate the action from the user's browser hoping that the user's session is still valid.
The key to this is two fold.
First, never perform dangerous action via a get request, like the one mentioned here by Husni Mansour.
Any meaningful action should always be via a post request Second, you should send some key value together with the first request and store that as a cookie and as a hidden form field.
Then when the form is submitted check both values to make sure they are the same.
A hacker can modify your form fields but cannot read/modify your cookies due to the same-origin policy

Abdulrahman M
par Abdulrahman M , Head developer , Kleeja

it's type of hacking, by submitting a form or using a link without authorization/ or with faked authorization.
suppose you enter a website that use an iframe with like to your bank and the link is for delete the account there ..
!!! it can be avoided by using links that expired after short time or unique id for every form as a hidden input or in link as GET var like link?unique_id=32efewf523523

Husni Mansour
par Husni Mansour , Software Engineer , Souq.com

suppose you access ur bank account from your PC, the web portal of the bank has the option to send money to other users in a way like http://bank.com/index.php?action=transfer&amount=100&to=husni you login and do your stuff there and change a the tab to other website that have fake link in the form of the one that your bank uses.
i guess this is the simplest way to explain this.

Panneer selvam xavier
par Panneer selvam xavier , Supply Chain Analyst / Trainer , Infonet

CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.
With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing.
A successful CSRF exploit can compromise end user data and operation in case of normal user.
If the targeted end user is the administrator account, this can compromise the entire web application.

Utilisateur supprimé
par Utilisateur supprimé

Cross-site request forgery (XSRF or CSRF) is a method of attacking a Web site in which an intruder masquerades as a legitimate and trusted user.
An XSRF attack can be used to modify firewall settings, post unauthorized data on a forum or conduct fraudulent financial transactions.
A compromised user may never know that such an attack has occurred.
If the user does find out about an attack, it may only be after the damage has been done and a remedy may be impossible.
http://searchsoftwarequality.techtarget.com/definition/cross-site-request-forgery

More Questions Like This