Cross Site Request Forgery also known as XSRF and many people also call it CSRF. XSRF attacks forces victim’s browser to perform a task or make a request which will be beneficial to attacker. The request is surely made without knowledge of user and since request is made from victim’s browser it is not held as illegal action. At some level we can say that XSRF is mix up of XSS and frame injection attack. XSRF attacks are beneficial for attacker to make victim unintentionally transfer money to attackers bank account or Paypal account, buy stocks from share markets etc. The problem is that no firewall or intrusion detection system will alarm about forgery since request will be made from victim’s browser.
Now that might be little difficult to understand so let me help you understand in easier way. Consider you are logged into your Amazon account to buy some product like a book on hacking. You search some site for review on various hacking related books. Now you got a good review on a book Counter Hack Reloaded so you decide to buy it, so you click on ADD TO MY CART button on the site on which you have read review. By the way the site on which you have made request is attacker’s site who also want to sell his/her own book on hacking to make revenue and boast of his/her book making sales. So instead of putting a direct link in ADD TO MY CART button the attacker will place a script that will also make request for his/her book to get added in cart. Sow when you will check out your cart will be having two books and you’ll be paying for his/her book for no reason and unknowingly. By the way Amazon is not vulnerable to XSRF attack so at present you are safe to buy anything from amazon.
By the way above is just an example how a XSRF attack can take place but in reality the attacking method and style may vary depending upon how much a web application is vulnerable and how attacker has planned to attack. The attack described above is known as Forced Browsing XSRF attack the another one is known as Hacked Session XSRF attack or Fixed Session XSRF attack or Authentication Hacked XSRF attack or Stolen Cookies XSRF attack and the last one is Java Script Object Notation XSRF attack, better known as JSON attack(Many people also spell it as Jason attack). Many professionals do have conflict about including JSON attack as XSRF attack. By the way we are not interested in conflicts among security professionals nor we have any problem with several naming conventions.
This post just clears basics about Cross Site Request Forgery, in future posts I ‘ll try my best to explain it in understandably easy way with possible less details still covering all points of importance. Many newbies face problems understanding XSRF attacks for first time. So if you also have any problem understanding above stuff, then feel free to ask.
Please note that we will cover each type of XSRF attack in separate post so if you have problem with that then please wait for future posts to cover up your queries but you can ask if still you have any problem understanding above basic about XSRF attacks. By the way thanks for reading, have a nice time and keep visiting.