CSRF exploits the trust that a site has in a user’s browser. i.e. In CSRF, attacker creates a forged HTTP request and sends it to the victim’s browser by any means and force user to click on that link. If victim clicks that link, server considers it as a legitimate request and serves that request.
Impact on Security:
- Attack on Integrity
Exploitability : Average
Impact : Moderate
Possible Mitigation:
- Include hte unique token in a hidden field. Prefer to include it in the body of HTTP request instead of including it in URL.
- Use CSRF Guard or ESAPI.
- Use CAPTCHA to prove they are user.
No comments:
Post a Comment