Chapter 4. Cross-Site Request Forgery
Cross-site request forgery (CSRF) is another common web vulnerability, in which an attacker tricks the victim's browser into generating requests to a website which performs certain actions on behalf of the logged in user or the victim. The web server processing the request executes the desired actions of the request, as it looks similar to any normal request generated by the users' browser. CSRF vulnerabilities can vary a lot in severity; benign ones can change settings or post on someone's behalf, but critical ones can result in password change, account takeover, and so on.
CSRF has been commonly featured in the OWASP Top-10 vulnerability list for the past few years. It's a widely misunderstood vulnerability by developers who often fail to understand the root cause of the issue, thereby implementing half-baked solutions to prevent the CSRF problem. I shall attempt to explain CSRF in a more technical fashion.
In this chapter...
