What is Cross-Site Request Forgery (CSRF)? Why CSRF is important?

What is Cross-Site Request Forgery (CSRF)?

The Cross-Site Request Forgery (CSRF) token is used to make sure that the requests are coming from the actual users of the site.

A CSRF token is generated for the forms. It must be tied to the user’s sessions. CSRF token should be passed with the requests to the server. The server does the CSRF token validation.

Why use CSRF token?

  • Let’s assume you are logged into at www.mybank.com
  • A money transfer request usually would be: http://www.mybank.com/transfer?to=<Accountnumber>;amount=<500>.
  • You visit www.nearbybuddy.com, not knowing that it is a malicious site.
  • The malicious site on their page may include a request like this: http://www.mybank.com/transfer?to=454987654;amount=10000
  • You visit www.nearbybuddy.com site and your browser will make above request.
  • If you are logged in properly to www.mybank.com your bank cannot recognize the origin of the request: Your web browser will send the request along with your www.mybank.com cookie and it will look perfectly legitimate. There goes your money!