This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet"

From OWASP
Jump to: navigation, search
m (Point to the official site)
 
(177 intermediate revisions by 22 users not shown)
Line 1: Line 1:
= Introduction =
+
__NOTOC__
 +
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
  
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site that the user is currently authenticated to. For example, this attack could result in a transfer of funds, changing a password, or purchasing an item in the users’ context.
+
The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]!
  
A successful CSRF exploit can compromise end user data and operation, when it targets a normal user. If the targeted end user is an administrator account, a CSRF attack can compromise the entire Web application. The sites that are more likely to be attacked are community Websites (social networking, email) or sites that have high dollar value accounts associated with them (banks, stock brokerages, bill pay services). This attack can happen even if the user is logged into a Web site using strong encryption (HTTPS).
+
Please visit [https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet] to see the latest version of the cheat sheet.
 
 
Utilizing social engineering, an attacker will embed malicious HTML or JavaScript code into an email or Website to request a specific 'task url'. The task then executes with or without the users knowledge, either directly or by utilizing a Cross-site Scripting Flaw.
 
 
 
In effect, CSRF attacks are used by an attacker to make a target system perform a function (Funds Transfer, Form submission etc..) via the targets browser without knowledge of the target user, at least until the unauthorized function has been committed.
 
 
 
= Prevention =
 
 
 
== Token Based ==
 

Latest revision as of 14:02, 15 July 2019

Cheatsheets-header.jpg

The Cheat Sheet Series project has been moved to GitHub!

Please visit Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet to see the latest version of the cheat sheet.