Introducing cross-site request forgery
Cross-site request forgery (CSRF) exploits the trust that a site has in a user's browser. It is also defined as an attack that forces an end user to execute unwanted actions on a web application in which the user is currently authenticated. We have seen at least two instances where CSRF has happened. Let's review these security issues now.
Examples of CSRF
We will now take a look at a basic CSRF example:
Go to the source code provided for this chapter and change the directory to
chp4/python_tornado
. Run the following command:python xss_version.py
Remember to start your MongoDB process as well.
Next, open
external.html
found intemplates
, in another host, sayhttp://localhost:8888
. You can do this by starting the server, which can be done by runningpython xss_version.py –port=8888
, and then visitinghttp://loaclhost:8888/todo_external
. You will see the following screenshot:Click on Add To Do, and fill in a new to-do item, as shown...