Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
L
L
lemonlimelike2017-09-19 21:07:34
Information Security
lemonlimelike, 2017-09-19 21:07:34

What is a CSRF attack?

Such a question about csrf... Can this attack be done only when you know the names of the fields in the table?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
P
Psq, 2017-09-20
@lemonlimelike

CSRF - Vulnerability allows forging requests on behalf of a user. When you submit an HTML form from one domain to another, the browser will automatically add your cookies set for the target domain to the request. This allows an attacker, without having access to your cookies, to send a request to the target domain on your behalf with your cookies. To protect against this attack, CSRF tokens, checking the referer header, or entering a password to confirm important requests (this is a very strange and insecure solution) are used. You can read more about this on Wikipedia (look for cross-site request forgery).
To implement it, the attacker makes a form on his site with filled fields, like the original form.
The victim may not need to click anything - just go to the attacker's site, since code can be inserted into the body of the site, which will send the form to the site.
Implementation examples are on the owasp.org website, the link was provided to you above.
For protection, so-called CSRF tokens are used, and various ways of verifying your identity when performing critical operations (for example, when you change your password, you are asked for the old one).
A CSRF token is a random value assigned to a user per session and sent with each request. The specified properties of the CSRF token do not allow an attacker to implement the scheme above, since the value is random and without a Man-in-the-Middle attack, he will not be able to implement it.

Report
E
egor_nullptr, 2017-09-19
@egor_nullptr

https://www.owasp.org/index.php/Cross-Site_Request...

Report
U
Uno, 2017-09-19
@Noizefan

No.
To carry out a CSRF attack, all you need is a form from a website and the path where it is sent.
You just need to copy the form itself into an empty html file and make it submit immediately after loading using JS. Naturally, all values ​​of value must already be set in the form, otherwise the meaning of the attack is lost.
However, in one of the hidden-fields of the form there may be one with the name csrf-token, which is why you can safely forget about this attack. (Unless the developer is a fool and just added it to the code for the sake of distraction)

Similar questions
C
cybery4k2011-05-22 02:40:46
Anonymity in the network or how to build a chain of proxies? 14Reply
Y
Yaroslav2020-04-25 14:44:29
Browser privacy in 2020. Does it make sense? 16Reply
B
BelBES2015-10-17 20:19:27
How to achieve complete deletion of confidential data by a mobile operator? 2Reply
A
Anton18632021-06-24 13:32:37
How to decrypt sssd logs? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question