Chapter 4

Cross-Site Request Forgery

Cross-site request forgery (CSRF) is a common web attack, but many developers do not know it well. CSRF is very destructive and also the most easily overlooked attack in web security; many engineers do not quite understand its preconditions and hazards.

4.1 Introduction

What is CSRF? Let us look at an example.

In Chapter 3, we used an example, “delete Sohu blog,” while talking about XSS payload. After logging on to the Sohu blog, you only need to request the following uniform resource locator (URL), and you will be able to delete blog post no. 156713012.

http://blog.sohu.com/manage/entry.do?m=delete&id=156713012

This URL is also vulnerable to CSRF. We will try to exploit this CSRF vulnerability to delete ...

Get Web Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.