About csrf attack and how to defense think deeply
About CSRF:
CSRF(Cross-site request forgery),Maybe most secrity pepole konw crsf what it look like XSS,but it is considered more dangerous than xss.
Developer Eyes:
As a developer,you must to konw csrf request methods,so csrf request methods is roughly divided into POST and GET types.
About POST request types:
scenario: pay money for buy computer
so,you can look URL:xxx.xxx.xxx/buy.php?id=xxx,if attack find csrf debug and sonstructor HTML POC submit Post request types.
<form method="POST" action="xxx.xxx.xxx/buy.php?id=xxx" enctype="multipart/form-data"> <input type="hidden" name="money" value="xxx"/> ..... </form> <script> document.forms[0].submit(); </script>
About GET request types:
scenario: pay money for buy computer
shop return URL:xxx.xxx.xxx/buy.php?id=xxx&submit_id=1&money=199&user=test
Develop environment how to defense csrf?
In general,3 methods for example validation token and referce and return Code,but like PayPal will validation cookie or session.someone will stop no Origin.
Attacker how to find csrf and using?
Under certain conditions,testing we can find exposed value and test some URL request ,try use different user name into test CSRF effectiveness.
End
this is defense think deeply head,so will write about CSRF using or about exposed debug.