Cross-Site Request Forgery (XSRF)
Vulnerabilities, Attacks, and Mitigations |
Prof. David Bernstein |
Computer Science Department |
bernstdh@jmu.edu |
www.cs.jmu.edu/process.php?command=drop¶meter=CS531
)IMG
element that contains the malicious URL in the
src
attribute)FORM
dataFORM
and click on the SUBMIT
buttonFORM
and a client-side script that
performs the submissionreferer
header
before processing a request (Note: referer
is the official spelling, not referrer
)FORM
field in all responses (so that
it is automatically sent back to the server in the
request)FORM
fieldFORM
data in all requests and the
server checks to ensure that they are the same (without
having to store any state information)