Cross-Site Request Forgery

Cross-site request forgery (XSRF) involves using credentials stored in the browser to make authenticated requests to web services. Often combined with an XSS attack, these types of attacks allow malicious JavaScript to impersonate you, performing actions without your knowledge or consent.

This attack requires a web service to store authentication tokens in the browser, either in browser cookies or in the application layer. How these tokens are accessed depends on how they’re stored. Cookie-based tokens are simply added to any matching outgoing request, so all an attacker has to do is make a valid request, and the authentication information will be added by the browser. Attacks against application-layer tokens require ...

Get Serverless Single Page Apps now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.