Konubinix' opinionated web of thoughts

Cross-Site Request Forgery

Fleeting

Cross site request forgery or CSRF

https://dev.to/maleta/cors-xss-and-csrf-with-examples-in-10-minutes-35k3

web browser to perform an unwanted action on an other trusted site where the user is authenticated

https://dev.to/maleta/cors-xss-and-csrf-with-examples-in-10-minutes-35k3

possible when browser automatically sends authorization resource, such as session cookie, IP address or similar with each request.

https://dev.to/maleta/cors-xss-and-csrf-with-examples-in-10-minutes-35k3

easy to implement patterns that prevent this web attacks. One of the most common pattern is usage of CSRF token. Basically procedure is following:

Generate unique token for each user’s request, so called CSRF token. Store it safely on server and send it back to user as payload of response. Store CSRF token on client side. When user tries to execute any state-changing* request send that CSRF token with request as a payload. Before executing that request on server side check if CSRF token is present and it is valid.

https://dev.to/maleta/cors-xss-and-csrf-with-examples-in-10-minutes-35k3

If you are are dealing only with visitors that uses modern browsers then you can rely on SameSite attribute of session cookie

https://dev.to/maleta/cors-xss-and-csrf-with-examples-in-10-minutes-35k3

no protection on CSRF attack if your web application is XSS vulnerable!

https://dev.to/maleta/cors-xss-and-csrf-with-examples-in-10-minutes-35k3

In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend

https://en.wikipedia.org/wiki/Cross-site_request_forgery

Remember that Cross-Site Scripting (XSS) can defeat all CSRF mitigation techniques

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

Notes pointant ici