Random Link ¯\_(ツ)_/¯ | ||
Nov 21, 2018 | » | 03. Cross-Site Request Forgery (XSRF)
2 min; updated Sep 5, 2022
Cross-site Request Forgery (XSRF) <img src="http://bank.com/transfer?from=from_ID&to=to_ID&value=1000"> Because the user is logged in and has a cookie, the victim site trusts the user’s browser. The attacker gets user/browser to execute command on victim site, e.g. request a link, post a form. The command has permanent effects. A frame can navigate its immediate children. Why is it designed such that it can’t navigate its children too? Consider a website with a login frame, where the user inputs passwords.... |