Application checks user session before performing an action on their behalf |
Cross-site request forgery – "session riding" |
⚪ User being logged into your application when they visit a malicious source ⚪ Server's trust in browser cookies regardless of request origin ⚪ Can happen via image GET, hidden form POST, JavaScript asynchronous request, etc. 🔴 Potent if victim has elevated privileges |
⚪ Traditional GET requests should not perform action ⚪ Traditional POST requests should be paired with CSRF tokens ⚪ Asynchronous JavaScript managed via Same-origin policy (SOP) and Cross-origin resource-sharing (CORS) — must avoid Access-Control-Allow-Origin: * — I have also seen many call for using CSRF tokens with JavaScript but it can be tricky depending on overall architecture/framework ⚪ Newer server-side SameSite cookie attribute prevents cookies from being attached when the request originates from somewhere else — however the browser is responsible for actual implementation/prevention |