A8 – Cross-Site Request Forgery

Given the nature of this threat, the official OWASP documentation defines it with a use case of an attack:

A CSRF attack forces a logged-on victim's browser to send a forged HTTP request, including the victim's session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim's browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

Perhaps one of the most typical cases is the one the documentation exposes as the canonical attack of this kind.

The problem is an application that allows a user to send a request to a bank using plain text, without any cyphering, for instance, http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243 ...

Get Mastering C# and .NET Framework now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.