From the course: ASP.NET: Security
Unlock the full course today
Join today to access over 22,700 courses taught by industry experts or purchase this course individually.
Cross-Site Request Forgery (CSRF)
- [Tutor] The final attack I would like to cover in this chapter is Cross-Site Request Forgery, or in short CSRF. Some people use XSRF as the abbreviation but CSRF is just more common, so I'll stick with that. There're different approaches to Cross-Site Request Forgery but I'll show you the most common one. The idea is that the victim is authenticated with a web application and the web application is using a cookie-based authentication meaning that every HTTP request comes with the cookie. And based on the cookie, the application authenticates and also authorizes the user. And this could be abused in the following fashion. The attacker somehow lures the victim to make an HTTP request to their site. So an HTTP request is being sent to the attacker's server and the attacker returns an HTTP response that in turn triggers a new HTTP request. For instance by doing redirection or with some JavaScript code that does the request. Turns out that this request goes to the web server that is…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Contents
-
-
-
(Locked)
OWASP Top 103m 36s
-
(Locked)
Cross-site scripting (XSS): The attack5m 10s
-
(Locked)
Cross-site scripting (XSS): The defense4m 18s
-
(Locked)
Cross-site scripting (XSS) in JavaScript5m 19s
-
(Locked)
Same-origin policy and CORS5m 12s
-
(Locked)
Enabling CORS in ASP.NET Web API6m 20s
-
(Locked)
SQL injection with ADO.NET3m 56s
-
(Locked)
SQL injection with Entity Framework3m 32s
-
(Locked)
Fixing SQL injection4m 27s
-
(Locked)
Cross-Site Request Forgery (CSRF)4m 40s
-
(Locked)
Defending against CSRF4m 24s
-
(Locked)
-
-
-
-