20.3.15. Cross-site request forgery (CSRF)

0.0(0)
studied byStudied by 0 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/3

flashcard set

Earn XP

Description and Tags

20.3. Application Attacks

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

4 Terms

1
New cards

CSRF

Cross-Site Request Forgery (CSRF)

an attack where you're tricked into unknowingly making an unwanted request to a website you're already logged into.

How it Works: Imagine you're logged into your online bank. An attacker might send you a deceptive email or link to another website. When you visit that attacker's site, it secretly contains code that tries to send a request to your bank. Because your browser is already logged into the bank (it has your session cookies), the bank's website sees this request as legitimate, even though you didn't knowingly initiate it.

2
New cards

CSRF Token

Cross-Site Request Forgery token

secret, one-time password added to every important web action

A CSRF token is there precisely to make sure that the action you're taking (like a transfer or password change) is coming from the actual, legitimate website's own page that you loaded, and not being secretly forced from a link or page on another, malicious website.

3
New cards

SameSite Cookie Attribute

This tells your browser to only send website cookies (which prove you're logged in) when the request comes directly from that same website, stopping other sites from secretly using your login.

This means the request is coming from bank.com to bank.com. It's the same origin.

4
New cards

CORS Policy

Cross-Origin Resource Sharing

This is a rule that web servers have, saying "I will only accept requests from these specific, trusted websites." It blocks requests coming from unknown or untrusted places.