1. What is CSRF?
- CSRF (Cross-Site Request Forgery) is a type of web security vulnerability which tricks a vitim into performing unwanted actions on a website where they are authenticated.
- How CSRF work:
1) The victim logs into a legitibate website and their browser stroes an authentication cookie.
2) The attacker crafts a malicious link, form or script that sends a request to the target website.
3) The server processes the request as if it were made by the victim, allowing the attacker to perform actions (e.g, transferring funds, changing account settings, etc.)
2. Types of CSRF vulnerabilities
1) GET-based CSRF
- Exploits links or images that trigger GET requests.
- e.g., Clicking an image with a malicious URL
<img src="https://bank.com/transfer?account=attacker&amount=1000">
2) POST-based CSRF
- Uses hidden forms to trigger POST requests.
- e.g., Auto-submitting a hidden form.
<form action="https://bank.com/transfer" method="POST">
<input type="hidden" name="account" value="attacker">
<input type="hidden" name="amount" value="1000">
</form>
<script>document.forms[0].submit();</script>
3) CSRF via Third-Party Websites
- Embeds malicious requests in third-paraty websites, tricking users into executing actions.
