CSRF

Summary

Attack

• attacker tricks user to visit a website with some request
• if the user is authenticate with that website, the request will go through

Attacker’s goals

• trigger unwanted authentication action

Defense

• stay logged out when not intending to use the service
• clear cookies
• include something unpredictable in the URL, ie. token

Concept

Cross Site Request Forgery(CSRF)

• exploits server’s trust of the client