Cross-Site Request Forgery

A cross-site request forgery (CSRF) attack forces the victim's browser to make a request without the victim's knowledge or agency. Browsers make requests all the time without the knowledge or approval of the user: images, frames, and script tags. The CSRF focuses on finding a link, that when requested performs some action beneficial to the attacker. The Web browser's same origin policy (SOP) prohibits the interaction between content pulled from different domains, but it doesn't block a Web page from pulling that content together. The attacker only needs to forge a request. The content of the site's response, which is protected by the same origin policy (SOP), is immaterial to the success of the attack. A CSRF attack would use an iframe or img element to force the user's browser to accomplish the same query, but to do so without the user's intervention or knowledge. The page might be hosted on a server controlled by the attacker. One of the most effective CSRF countermeasures assigns a temporary pseudo-random token to the sensitive forms or links that may be submitted by an authenticated user. The value of the token is known only to the Web application and the user's Web browser.