N/APosted on - 12/06/2014
What is Cross Site request Forgery (XSRF)? How is it different from Cross Site Scripting (XSS)? Could you please explain XSRF with an example? What is login CSRF? How can one defend against CSRF attacks. As a website admin, what can I do to protect by website from an XSRF attack?
What is the threat posed by XSRF to my website
CSRF or generally termed as Cross-Site Request Forgery is an attack that forces or drives an end user to perform unwanted actions in a web application where he or she is currently authenticated. It is also known as one-click attack or session riding. It is a kind of malicious exploit of a website wherein unauthorized commands are being sent from a user that the website trusts.
It deceives the victim into sending a malicious request. The request is malicious, in the sense that it takes over the privileges and identity of the victim to execute an unwanted function on the victim’s behalf. For the majority of the websites, browser requests will automatically contain some credentials related to the site like the session cookie of the user, Windows domain credentials, IP address, and others.
For that reason, if the user is presently authenticated to the site, it is impossible for the site to recognize the forged request sent by the victim from a genuine request sent by the victim.