on Sun Aug 16 2020
Takes advantage of the fact that cookies ( or badic authentication credentials ) are passed along with requests.
<img src = ‘http://bank.com/transfers?from=12&to=18&amount=100 />
Above url can perform a get request and is one of several reasons to align with REST conventions.
HTML forms are another vector which can be hidden in a landing page and add a script that submit, which will send cookies along with if user is already loggedin.
Only Basic or cookie authentication schemes are vulnerable. Exception is the ‘client side cookie’ which are stored as we will not be able to ‘read’ cookies stored in another domain. localStorage or sessionStorage doesn’t have this problem.
A solution to mitigate this problem is to use a CSRF token
Another is to validate a request origin. Modern browsers can send an Origin header with each request, which cannot be altered by JS.
Incase of no Origin header, we could use ‘Referer’ header.
When behind a proxy, we could get some information from Host and X-Forwarded-Host
Another way to avoid CSRF is to set CORS headers properly