4 Cross-site request forgery

This chapter covers

Learning how cross-site request forgery (CSRF) works
Looking at consequences CSRF may bring
Preventing CSRF
Protecting cookies to prevent CSRF
Clickjacking and how it’s related to CSRF

In 2005, security researcher Samy Kamkar found a security vulnerability in the then-popular social network Myspace (if you’ve been around long enough, you might remember that service). He managed to inject JavaScript code into his profile page, a classical cross-site scripting (XSS) attack (explained in chapter 2). The JavaScript code, however, did something really interesting: when executed, it issued an HTTP request on the victim’s behalf, adding them to Kamkar’s friends list. This started a chain reaction, and ...

Get ASP.NET Core Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

ASP.NET Core Security by Christian Wenz

4 Cross-site request forgery

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly