Vulnerability causes and principles
Cross-site request forgery means that an attacker can manufacture HTTP requests and sends the user to the target site to the destination site's login state in third-party sites, and does not check the target site request forgery successful third-party sources to make a request.
XSS exploit user trust in the site, while CSRF exploit it by pretending to be trusted sites trusted by the user's request.
And the difference between XSS
XSS is to get the user's cookie, does not need to be forged, the user is directly triggered, it can be done any function of the script on the site
CSRF not know the details of the cookie is the cookie using faked user sends a request to the server
Hazard Vulnerability
Deceive the user's browser sends an HTTP request to the target site
By IMG tag will trigger a GET request, you can use it to achieve CSRF attacks
Vulnerabilities defensive
1 Use token
2 restrictions refer
3 using a verification code technology
Vulnerability case presentations
To demonstrate a case DVWA
DVWA change the password at the presence of CSRF, just by clicking on the link, the victim's password will be modified
Password in the url request
This is a simple CSRF CSRF