Cross-site request forgery
Cross-site request forgery Cross-site request forgery , also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf [1] ) or XSRF , is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. [2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. Synonyms CSRF attacks are also known by a number of other names, including XSRF, "Sea Surf", Session Riding, Cross-Site Reference Forgery, and Hostile Linking. Microsoft refers to this type of attack as a One-Click attack in their threat modeling process and many places in their online documentation. Prevention measures that do NOT work Using a secret cookie Remember that all cookies, even the secret ones, will be submitted wi...