CSRF

Earlier, I briefly mentioned that browsers will pass along all associated cookies to applications automatically. For example, if the user has authenticated to the http://email.site application, a session cookie will be created, which can be used to make authenticated requests. A CSRF attack takes advantage of this user experience feature to abuse overly-trusting applications.

It is common for applications to allow users to update their profile with custom values that are passed via GET or POST requests. The application will, of course, check to see whether the request is authenticated and perhaps even sanitize the input to prevent SQLi or XSS attacks.

Consider a scenario where we've tricked the victim into visiting a malicious site, or perhaps ...

Get Becoming the Hacker now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.