This article introduces CSRF (cross-site request forgery) vulnerability and demonstrates how to prepare a CSRF proof of concept with OWASP ZAP.
2. Cross-site request forgery
The vulnerability allows an attacker to forge a user request. Consequently, the user does what the attacker wants. Here’s an example:
I. Social engineering is used to lure the user to the attacker’s website. Simultaneously, the user is logged in to bank X.
II. Let’s assume, that the bank X’s
money transfer form is vulnerable to CSRF (no CSRF token, no
authorization password). The attacker prepares an exploit that transfers
the user’s money to his account and puts it on his website.
III. When the user visits the site of the attacker, the exploit is launched.
IV. The request of money transfer
is sent by the user to bank X. From the perspective of bank X,
everything is fine (with a valid authentication cookie.)==> Read More
No comments:
Post a Comment