CSRF (Cross-site request forgery), Chinese name: Cross-site request forgery, also known as: one click attack/session riding, abbreviated as: CSRF/XSRF.
What can CSRF do?
You can understand the CSRF attack in this way: attackers steal your identity and send malicious requests in your name. What CSRF can do includes sending emails, sending messages, stealing your account, or even purchasing goods, and transferring virtual currency ...... these problems include personal privacy leaks and property security.
CSRF principle:
Ps: At this point, all the above content comes from the Internet. Well, we have already understood the definition and principles. Next we will discuss how to launch an attack with the webgoat project.
Scenario: www.2cto.com user A opens the stationery Reservation System website X to Book Stationery. If user A does not exit X, he can access the insecure website Y. User Y can access website X and send A transfer request to transfer funds.
Step 1:
User A opens the stationery Reservation System and logs on
How attackers can obtain requests:
The transfer id is the account to be transferred by the attacker, and the transfer amount is the amount to be stolen. On this page, we don't have to worry about submission. Open FIREFOX and obtain the form submission as follows:
Then we disguise the above request to malicious website Y.
The submitted results are as follows:
If user A's account does not exit, just click the picture above and the money that the attacker purchases Stationery will be transferred away.