Cross-Site Request Forgery, usually abbreviated CSRF or XSRF, and sometimes pronounced like “sea surf”, is an exploit which takes advantage of the trusted relationship between a user’s browser and a web application.
Essentially, given certain conditions, an attacker is able to trick a user into unknowingly performing a sensitive action (such as transferring money from a bank account, or changing a password) to the attacker’s advantage.
The conditions required for CSRF to work are as follows:
- Victim’s browser contains valid authentication tokens
- Victim’s account is authorized to perform the sensitive action in question
- Web application listens to requests which trigger the sensitive action
- Such requests contain parameters which are predictable (e.g., “account_from=1234&account_to=5678&amount=1000”)
Finally, the victim must actually trigger the attack, thus sending the request using valid authentication tokens and proper authorization (which the attacker does not have). This is usually accomplished via social engineering; for example, with a link sent by the attacker which triggers a script to execute the request from the victim’s browser.
Naturally, the attacker will receive no confirmation of CSRF success or failure (and probably neither will the victim) other than noticing its effects. For instance, that 1000 bucks were actually sent to account #5678 (from the above example).