Cross-Site Request Forgery(CSRF)

In this blog, we are going to learn about cross-site request forgery, which is also known as CSRF. Cross-site request forgery is when a hacker manipulates a user into making a request to a third party website, apparently your website. And they can do that simply to generate fraudulent clicks or fraudulent requests, requests that the user did not intend to make. But even more concerning, they can do it to take advantage of a user’s logged-in state. Let’s take a quick look at this.

how it is work?

Imagine that you, as a user, are logged into your bank account. And once you’re done with your banking, you are browsing another website, but you don’t actually click logout. So, your session with the bank is still open, the bank doesn’t know that you’ve surfed somewhere else. As far as they’re concerned you may be about to click another link at any moment to perform another action. So, you begin to surf the Internet instead. And you load a new web page which contains a specially crafted image or any video, and that image or video contains a source which is not to an image or video file but instead, is a URL request to your bank to transfer money from one account to another.

You can see why this would be a problem. If you’re not logged in, this would just be a request on your behalf to another server that you didn’t intend. But if you’re logged in, then it’s a request as a logged-in user to that server which is potentially more dangerous and it doesn’t have to be your bank, it could be PayPal, Amazon.com, eBay, or any site that you might create.

So, how do we defend against CSRF?

well I will discuss them in another article!