Cross-Site Request Forgery (XSRF)
If XSS is a case of a browser trusting JavaScript from the server too much, XSRF is a case of a server trusting a browser too much.
Let’s go back to our example of a blogging site. Somehow there must be a browser request that saves a blog post to the server. Suppose the blog posting request looks something like this:
| | POST /blog/create HTTP/1.1 |
| | Host: www.romansjournalingsite.com |
| | Accept-Encoding: gzip, deflate |
| | Accept: */* |
| | Cookie: sessionid=Re9ljf4uObKk9mSFqBlusxamUKw |
| | Connection: keep-alive |
| | Content-Type: application/x-www-form-urlencoded; charset=utf-8 |
| | Content-Length: 57 |
| | |
| | body=It+was+the+best+of+posts.+It+was+the+worst+of+posts.&submit=Publish |
In a naive web application, that could be all it takes to publish ...
Get Practical Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
