How it works...
Our test application for this recipe was a web page (client.php) that consumed the REST web service (server.php) to retrieve a secret word. We attempted to use a web page in our local system to perform a CSRF attack, but it failed because the server doesn't define a CORS policy and the browser, by default, denies cross-origin requests.
We then made an HTML form to send the same parameters as in the JavaScript request, but in HTML form format, and it succeeded. It's not uncommon for web services to receive information in multiple formats, such as XML, JSON, or HTML forms, because they are intended to interface with many different applications; however, this openness may expose the web services to attacks, especially when vulnerabilities ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access