Difference between revisions of "Cross-site request forgery"

From Wiki @ Karl Jones dot com
Jump to: navigation, search
(Created page with "'''Cross-site request forgery''', also known as '''one-click attack''' or '''session riding''' and abbreviated as '''CSRF''' (sometimes pronounced sea-surf) or '''XSRF''', is...")
 
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
 
'''Cross-site request forgery''', also known as '''one-click attack''' or '''session riding''' and abbreviated as '''CSRF''' (sometimes pronounced sea-surf) or '''XSRF''', is a type of malicious exploit of a [[website]] where unauthorized commands are transmitted from a user that the website trusts.
 
'''Cross-site request forgery''', also known as '''one-click attack''' or '''session riding''' and abbreviated as '''CSRF''' (sometimes pronounced sea-surf) or '''XSRF''', is a type of malicious exploit of a [[website]] where unauthorized commands are transmitted from a user that the website trusts.
 +
 +
== Description ==
 +
 +
CSRF vulnerabilities have been known and in some cases exploited since 2001. Because it is carried out from the user's IP address, some website logs might not have evidence of CSRF.
 +
 +
Attackers who can find a reproducible link that executes a specific action on the target page while the victim is logged in there can embed such link on a page they control and trick the victim into opening it.
 +
 +
The attack carrier link may be placed in a location that the victim is likely to visit while logged into the target site (for example, a discussion forum), or sent in a HTML email body or attachment.
 +
 +
A cross-site request forgery is a [[Confused deputy problem|confused deputy attack]] against a [[web browser]].
  
 
== Comparison with cross-site scripting ==
 
== Comparison with cross-site scripting ==

Latest revision as of 09:47, 8 November 2016

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts.

Description

CSRF vulnerabilities have been known and in some cases exploited since 2001. Because it is carried out from the user's IP address, some website logs might not have evidence of CSRF.

Attackers who can find a reproducible link that executes a specific action on the target page while the victim is logged in there can embed such link on a page they control and trick the victim into opening it.

The attack carrier link may be placed in a location that the victim is likely to visit while logged into the target site (for example, a discussion forum), or sent in a HTML email body or attachment.

A cross-site request forgery is a confused deputy attack against a web browser.

Comparison with cross-site scripting

Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

See also

External links