From the course: Security in ASP.NET Core

Unlock this course with a free trial

Join today to access over 24,800 courses taught by industry experts.

Cross-Site Request Forgery (CSRF): The attack

Cross-Site Request Forgery (CSRF): The attack - ASP.NET Tutorial

From the course: Security in ASP.NET Core

Start my 1-month free trial Buy for my team

Cross-Site Request Forgery (CSRF): The attack

- [Instructor] The final attack that I would like to cover in this chapter is cross-site request forgery, or CSRF. Some people are using XSRF but if you ask me, they are wrong. No, I'm kidding. But CSRF is more common. Some people even pronounce it C-SRF which I also find a bit weird. There are different approaches how cross-site request forgery works, but here is a very common one. Let's just assume a client is authenticated against the web application, for instance, by using a cookie, and then the following happens. First of all, the client is sending an HTTP request to the attacker's server, because of following a link in a spam email, whatever. In the HTTP response, the attacker planted some HTML or some JavaScript that prompts the client browser to send a specific HTTP request somewhere else, the web server client is authenticated with. So, the attacked server here gets an HTTP request from the client that's authenticated, so that server considers the request as legit. But client…

Contents