Cross-Site Request Forgeries: CSRF

An important web vulnerability is, paradoxically, something we often build into our apps on purpose. It's called Cross-Site Request Forgery, or CSRF (sometimes pronounced sea-surf). Here are the basic building blocks:

• Our app allows users to update a database The update might use either GET or POST.
• The update will require authentication and authorization (auth) prior to submitting the request.
• The auth credentials automatically comes along with the update request, say via cookies sent automatically by the browser.

So far, that seems completely normal. How could it be misused?

Example

Exploiting GET

Visit this page and see what happens.

Exploiting POST

Visit this page and see what happens.

Exploiting a one-off form

Visit this page and see what happens. That form uses a token that was generated from Flask WTForms but the token hasn't been used yet.

Learning More

There's more that you can learn about CSRF, if you decide to (this is optional). I suggest starting at the Wikipedia page on Cross-Site Request Forgery (CSRF). One of the useful links in that article is Cross Site Request Forgery: An Introduction to a Common Web Weakness. [an error occurred while processing this directive]