What is cross-site request forgery (CSRF)?
D2 ยท Threats ยท CompTIA Security+ SY0-701CSRF (Cross-Site Request Forgery) tricks an authenticated user's browser into sending an unwanted request to a web app where they're logged in. The app sees a legitimate session cookie and executes the action.
Example: You're logged into your bank. You visit a malicious site that has a hidden form submitting a money transfer to the attacker. Your browser sends the request with your valid session cookie.
Example: You're logged into your bank. You visit a malicious site that has a hidden form submitting a money transfer to the attacker. Your browser sends the request with your valid session cookie.
CSRF exploits the trust a site has in a user's browser. Prevention: CSRF tokens (anti-forgery tokens), SameSite cookie attribute, re-authentication for sensitive actions. Different from XSS โ XSS exploits the user's trust in the site.