CSRF or XSRF stands for cross-site request forgery, where a malicious user tricks the user's browser into silently performing an HTTP request to the website when the user is logged in. An example of such an attack is inserting an invisible image tag with src
pointing to http://example.com/site/logout
. Even if the image tag is inserted in another website, you will be immediately logged out from example.com
. Consequences of CSRF could be very serious: destroying website data, preventing all website users from logging in, exposing private data, and so on.
As CSRF should be performed by the victim user's browser, the attacker cannot normally change HTTP headers sent. However, there were both browser and Flash plugin vulnerabilities found that were allowing users to spoof headers, so we should not rely on these.
The attacker should pass the same parameters and values as the user would normally do.
Considering these, a good method of dealing with CSRF is passing...