Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Web Application Security > Cross-Site Request Forgery (CSRF) > Flashcards

Cross-Site Request Forgery (CSRF) Flashcards

1
Q

Explain CSRF

A
  1. victim is being logged into a website with an authenticated session
  2. there’s another website, controlled by an attacker, and victim unknowingly visit that malicious website while still having the session active on the legitimate website
  3. while victim is in the malicious website, it sends a hidden request to the legitimate website on victim’s behalf (changing password, making a purchase, or deleting an account)
  4. legitimate website receives the request, but since it still recognizes victim as an authenticated user (victim has an active session), it assumes the request is legitimate and processes it
  5. as a result, the action victim didn’t intend to perform gets executed on the legitimate website without victim even realizing it
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does CSRF exploit?

A

trust and privileges that a web application has granted to the victim’s browser

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does CSRF rely on?

A

typically target web applications that rely on authenticated sessions or cookies to identify users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What’s the CSRF attack process?

A
  • the attacker crafts a malicious webpage or email containing a specially crafted request that targets the vulnerable web application
  • the victim, who is already authenticated in the web application, visits the malicious webpage or clicks on the malicious link
  • unbeknownst to the victim, their browser sends the malicious request to the vulnerable web application, executing the unwanted action
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the consequnces of CSRF attacks?

A
  • Unauthorized Actions
  • Data Exposure
  • Session Hijacking
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What’s the prevention and mitigation of CSRF attacks?

A
  • Anti-CSRF Tokens
    • implement and validate unique, randomly generated tokens for each user session to ensure that requests originate from legitimate sources
  • Same-Site Cookies
    • set the “SameSite” attribute on cookies to restrict their usage to requests originating from the same site, mitigating the impact of CSRF attacks
  • Referer Header
    • validate the “Referer” header in HTTP requests to ensure requests originate from trusted sources
  • Strict Access Controls
    • implement strong access controls and permissions to restrict unauthorized actions even if a CSRF attack is successful
  • User Awareness
    • educate users about the risks of clicking on suspicious links or visiting unknown websites to prevent falling victim to CSRF attacks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly

Web Application Security (17 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions