A description of attack types
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions in a web application wherein they're currently authenticated.
Cross-Site Request Forgery (CSRF) attacks specifically target state-changing requests – not theft of data since the attacker has no way to see the response to the forged request.
With a little social engineering help (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing.
If the victim is a normal user, a successful CSRF attack can force them to perform state-changing requests such as transferring funds or changing their email address. If the victim has an administrative account, CSRF can compromise the entire web application.
If the application was designed to use GET requests to execute actions like making bank transfers or sending messages, the executing action might be reduced to a request as shown below:
GET http://application.com/action.do?account=Victim&amount=100 HTTP/1.1
An attacker now decides to exploit this web application vulnerability. The attacker first constructs the following exploit URL, which will transfer $10,000 from the victim's account to their own.
The social engineering aspect of the attack tricks the victim into loading this URL while logged into the banking application. This is usually done with one of the following techniques:
- sending an unsolicited email with HTML content
- planting an exploit URL or script on pages the victim is likely to visit while banking online
The only difference between GET and POST attacks is how the attack is being executed by the victim. Let's assume the bank now uses POST and the vulnerable request looks like this:
POST http://application.com/action.do HTTP/1.1