2 comments
Security 
The Cross-Site Request Forgery is a relatively unknown and misunderstood attack, often mixed up with the Cross-Site Scripting (XSS) attack.
The biggest difference is the server where the malicious code is hosted. With a XSS attack, that code is injected in the trustedsite you are visiting (e.g. a Forum site, or any other site you trust and sign on to) and tries to steal information by sending it to another location:
With the CSRF the scenario is reversed, a user is tricked to a specially crafted URL (either from a compromised site, or in an email message) which executes on the trusted site.
For instance, the trusted site has a voting mechanism, http://www.mytrustedwebsite.com/vote?123 and the compromised site has a page with an image tag with the same address, everyone going there is downloading/clicking it (or use some javascript or a hidden frame) and will enter a vote.
Nothing really bad can happen here, right? But what if the trustedsite has a delete URL, or a “transfer money” option. The bad thing here is that the attacker can use any open session on the trusted site, and use the credentials of that user. So always sign out when you’re done at a site!
Of course this problem seems to involve a GET request, but it can also be done with POST requests, so be aware of this.
Some ways to mitigate this is to only accept POST request, check the referer property of the browser(not always available in all browsers) and add a special unique token/cookie to every request to make sure the visitor really was a visitor at that moment at the trusted site.
2 comments
that’s one the reasons most secure website’s only use browser session based cookies for authentication… baking a persistent cookie can burn your fingers 🙂
timm
Even with session cookies you are vulnerable during browsing, and the attacker has an extra time window of about 20 minutes if you forget to sign out.
Erik Oppedijk