Tuesday, April 22

CSRF - Cross Side Request Forgery





When you are accessing your bank website ,Why should you not open any other tab in same window with some unknown /evil application?

You might become s CSRF prey.

How does that happen ?

LEt's understand this with an simple example.

Let's say you open the browser and login to you bank website www.mybank.com with your username/password.

When you Do this bank might persist your authentication token in cookie. For eample : You login to the website using your username/password and bank website
,after successful authentication , stores in client cookie "isUserALreadyLoggenzIn"="true"







After this you open an evil website in new tab , may be by clicking on some link on some other page in the same window . Now that evil website might contain

a form like this



name="amonut" value="50000"

Win Lottery

On on page opened with evil website link you click on Win Lottery button. This click submits a request of money tranfer and money is transferred to some
other account without your knowledge. Application identifies the logged in your using cookie data and there "isUserLoggedIn" is already set to true So no problem comes in authentication.



This example is Just to cover the CRSF i.e. cross side request forgery . These days bank application and browsers are much more intellient to

defend against these evils .


No comments:

Post a Comment