A cross-site request forgery (CSRF) attack occurs when an attacker can make a target’s browser send an HTTP request to another website. That website then performs an action as though the request were valid and sent by the target. Such an attack typically relies on the target being previously authenticated on the vulnerable website where the action is submitted and occurs without the target’s knowledge. When a CSRF attack is successful, the attacker is able to modify server-side information and might even take over a user’s account. Here is a basic example, which we’ll walk through shortly:

  1. Bob logs into his banking ...

Get Real-World Bug Hunting now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.