Chapter 8. Cross-Site Request Forgery
The cross-site request forgery (CSRF) vulnerability enables an attacker to exploit a victim user’s authenticated session and trick the user into performing any state-changing operation that the victim user is authorized to perform. For example, this attack can result in changing a user password, updating account details, or making purchases without the user knowing.
Attack Mechanics
As the name indicates, an attacker lures a user to visit a cross-site; that is, an externally hosted malicious web page, which typically contains a forged HTML form with hidden fields matching the web page rendered by the target web application.
For example, Example 8-1 shows a malicious web page targeting an admin user of a vulnerable application. It entices the user to click a button, which triggers the form submission. Because the server response goes in a hidden iframe, the victim user doesn’t get any clue about the transaction.
Example 8-1. A malicious web page crafted for a CSRF attack
<formmethod="POST"action="http://example.com/admin/changeRole"target="iframeHidden"><h1>You are about to win a brand new iPhone!</h1><h2>Click on the win button to claim it...</h2><inputtype="hidden"name="accountId"value="67887"/><inputtype="hidden"name="newRoleId"value="1"/><inputtype="submit"value="Win !!!"/></form><iframename="iframeHidden"width="1"height="1"/>
In this example, when an admin user—who is authorized to escalate the role of other users—clicks ...
Get Securing Node Applications now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
