Tag Archives: Security

CSRF in Layman’s tech terms (or as best as possible)

Pronounced Sea surf and it stands for Cross-Site Request Forgery.

Cross-site means the situation has 2 domain urls, the phishing site and the target domain to attack. Request means resource request (url, image, etc).

What it means is an attacker is placing html code inside a browser page or email source that the user is visiting. The site itself is “safe”, and the user thinks that as well, but the damage is that the link or worse, img url that’s loaded ends up downloading a torrent file or doing an admin function on another site via the querystring.

Example scenario

The end user goes to BusinessSite.com daily to manage users, and they’re currently logged in too (via user-local stored cookie, that’s also sent along).¬† So, any malicious link that’s clicked would have negative consequences.

Say the page html source of compromised or phishing site has a link like so:

Click <a target="_blank" href="http://BusinessSite.com/admin/tools.aspx?action=deleteUser&userID=7&bypassConfirm=true">here</a> to win.

When the user clicks on the link, pow! User with 7 has been automatically deleted. See how detrimental XSRF attacks can be to data, people, and business processes?

Reference

Advertisements