What is Cross-Site Request Forgery (CSRF)? Why CSRF is important?
What is Cross-Site Request Forgery (CSRF)?
The Cross-Site Request Forgery (CSRF) token is used to make sure that the requests are coming from the actual users of the site.
A CSRF token is generated for the forms. It must be tied to the user’s sessions. CSRF token should be passed with the requests to the server. The server does the CSRF token validation.
Why use CSRF token?
- Let’s assume you are logged into at
www.mybank.com
- A money transfer request usually would be:
http://www.mybank.com/transfer?to=<Accountnumber>;amount=<500>
. - You visit
www.nearbybuddy.com
, not knowing that it is a malicious site. - The malicious site on their page may include a request like this:
http://www.mybank.com/transfer?to=454987654;amount=10000
- You visit
www.nearbybuddy.com
site and your browser will make above request. - If you are logged in properly to
www.mybank.com
your bank cannot recognize the origin of the request: Your web browser will send the request along with yourwww.mybank.com
cookie and it will look perfectly legitimate. There goes your money!