XSRF
How it works 3 - form is submitted on bank.com 4 - bank.com helpfully transfers money into trout’s account 2 - evil.fish includes form on bank.com 1-user goes to evil.fish
Defenses • Form keys • Check HTTP referer • CSRF tokens • Short cookie expiration date • Encourage users to log out
Homework • https://google-gruyere.appspot.com/
Recommend
More recommend