{"id":4613,"date":"2017-07-27T20:29:42","date_gmt":"2017-07-27T12:29:42","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=4613"},"modified":"2017-10-03T19:26:06","modified_gmt":"2017-10-03T11:26:06","slug":"all-you-need-to-know-about-cross-site-request-forgery-csrf","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2017\/07\/all-you-need-to-know-about-cross-site-request-forgery-csrf\/","title":{"rendered":"All You Need To Know About Cross-Site Request Forgery (CSRF)"},"content":{"rendered":"

Cross-Site Request Forgery is a term you’ve properly heard in the context of web security or web hacking, but do you really know what it means? The OWASP definition is as follows:<\/p>\n

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.<\/p><\/blockquote>\n

\"All<\/p>\n

CSRF is often underrated on the risk spectrum but we’ve actually covered some pretty nasty incidents involving CSRF attacks:<\/p>\n

CSRF Vulnerability in Twitter Allows Forced Following<\/a>
\n– Password Manager Security \u2013 LastPass, RoboForm Etc Are Not That Safe<\/a>
\n– Ubiquiti Wi-Fi Gear Hackable Via 1997 PHP Version<\/a><\/p>\n

And some tools to help test for CSRF vulnerabilities:<\/p>\n

IronWASP \u2013 Open Source Web Security Testing Platform<\/a>
\n– Hcon Security Testing Framework (HconSTF) v0.4 \u2013 Fire Base<\/a>
\n– xssless \u2013 An Automated XSS Payload Generator Written In Python<\/a><\/p>\n

Acunetix has come out with a great article explaining it in more depth and also how you can prevent it, it contains information about:<\/p>\n