Cross-site request forgery is when attackers trick a browser into making a request to another site, usually a site where the browser is already logged in and has access privileges.
- A cross-site request forgery attack is … when an attacker tricks a user's browser … into sending a request to another site. … Cross-site because the attack originates at one site, … but sends a request to another site. … And request forgery because the request … is not a genuine user request. … Cross-site request forgery is often shortened to CSRF. … Imagine that a hacker wants to get a user to click a link. … One way would be to name the link with something deceptive … and post it online or send it in an email. … The link hides the action, … but it still requires a user to click on it. … A CSRF attack does not depend on the user clicking a link. … Instead, the attacker places the URL … into the HTML of a page, … most often as the source attribute of an image tag. … When the page loads, … the browser automatically sends a request … for each of the images that are in the HTML. … It doesn't matter that this image source will fail … to return an image. … The request will still be made. …
- Threat models
- Least privilege
- Defense in depth
- Validating and sanitizing input
- Credential attacks
- SQL injection
- Cross-site scripting
Skill Level Beginner
Web Programming Foundationswith Morten Rand-Hendriksen58m 44s Beginner
Web Security: Same-Origin Policieswith Sasha Vodnik1h 54m Advanced
1. Security Overview
2. General Security Principles
3. Filter Input, Control Output
4. The Most Common Attacks
Next steps2m 26s
- Mark as unwatched
- Mark all as unwatched
Are you sure you want to mark all the videos in this course as unwatched?
This will not affect your course history, your reports, or your certificates of completion for this course.Cancel
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
1:30Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.