CSRF (Cross Site Request Forgery, CSRF) is a network attack, also referred to as "One Click Attack" or Session Riding, often abbreviated as CSRF or XSRF.
CSRF vulnerability because the web application when the user performs a sensitive operation, such as modifying account password, an account is added, transfers, etc., form no check or token values referer http request header, resulting malicious attackers using the normal user ( cookie) to complete the attack.
The course of a CSRF attack, the victim needs to be done in two steps in order:
1. Log in to trusted sites A, and generates Cookie locally.
2. A period of survival in a cookie, visit dangerous websites B.
CSRF high-risk trigger point
Forum for the exchange
User Center
Inquiry
Transaction Management
Backstage management
CSRF vulnerabilities harm
1, CSRF vulnerabilities could cause the victim to post a message in the forum without the knowledge of, subscribe to mailing lists, online shopping or stock trading, or change the user name or password. For all web application firewall-protected, CSRF attacks can bypass the firewall attack web applications.
2, CSRF vulnerabilities such as XSS vulnerability can also be used in combination to further increase the vulnerability of the harm.
3, forged HTTP requests unauthorized operation:
Tampering, steal user important data on the target site.
Unauthorized user to perform harmful actions on the reputation or assets, such as: the spread of harmful information, consumption.
If the attack site administrator by using the social workers, etc., would endanger the security of the site itself.
4, as another attack vector of auxiliary methods of attack, such as with XSS.