CSRF - cross-site request forgerykhi nimLi xy ra khi ngi tn cng lm trnh duyt ca ngi dng gi mt yu cu gi n trang web. Nu m ngi dng c xc thc vi trang web y, yu cu s c thc hinV dng dng cho php ngi dng thc hin yu cu chuyn tinwww.bank.com

Cookie: auth_ok

V dwww.bank.com

www.attacker.org

GET transfer.cgi?am=10000&an=3422421Ngi tn cng xy dng mt yu cu chuyn tin cho ti khon ca mnh t ti khon ca ngi s dng, ri giu n vo mt th hnh nh ca trang web thuc quyn iu khin ca ngi tn cngk thut tn cngLm gi yu cu GETV d: a mt URL to yu cu vo src ca tag Lm gi yu cu POSTV d: Ngi tn cng to mt iframe in d liu vo mt HTML form v submit dng javascriptcng c tm kim csrfWebScarab Spiderhttp://www.owasp.org/index.php/Category:OWASP_WebScarab_ProjectCSRF Tester http://www.owasp.org/index.php/Category:OWASP_CSRFTester_ProjectCross Site Requester http://yehg.net/lab/pr0js/pentest/cross_site_request_forgery.php (via img)Cross Frame Loader http://yehg.net/lab/pr0js/pentest/cross_site_framing.php (via iframe)Pinata-csrf-tool http://code.google.com/p/pinata-csrf-tool/Khi ngi dng thc hin mt yu cu HTTP, nn c mt gi tr c bit, khng nm trong URLOWASP cung cp mt cng c l CSRF Guard, t ng thm vo mt gi tr c bithttps://www.owasp.org/index.php/CSRFGuard

Cch phng trnhC th yu cu ngi dng xc thc li khi thc hin mt yu cu

Cch phng trnh