Cross-site request forgery is an attack in which an attacker coerces a user to perform an action the user did not intend to, on a server the attacker has no control over.
Cross-site scripting in number 1 vulnerability in the web, if you writing software you should know this. Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
Here is a quick demo on how to discover injection and tools to fix the vulnerability.
You can earn money with this attack, something around $12,000 that can be paid by big fish websites like Facebook.com or others. Check out the video for more detailed explanation how it is working: Cracking Websites with Cross Site Scripting - Computerphile
In order to avoid this vulnerability, sites should require anti-forgery tokens in every POST request. At the same time, any action that affects a user should be sent as a POST request. To check for CSRF, look for requests to the server that can be repeated or cause the same action or do not contain information that is unobtainable by an attacker.
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. The impact of a successful cross-site request forgery attack is limited to the capabilities exposed by the vulnerable application. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context. In effect, CSRF attacks are used by an attacker to make a target system perform a function (Funds Transfer, form submission etc.) via the target's browser without knowledge of the target user, at least until the unauthorized function has been committed.
- #TOP 1 attack in the web: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
- #TOP 2 attack in the web: SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
- #TOP 3 attack in the web: Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts.
Security vs Privacy
As seen in the above scenarios, the CSRF is no longer an issue that can be neglected in today‟s web application arena. The CSRF armed with the HPP (HTTP Parameter Pollution) attack vector can even bypass web browser-based filter, web firewall, and defense employed in applications. Tools used to identify and prepared CSRF are readily available. Make sure that you patch security holes and check for most common attacks.