DZone Security Zone
Cross-site request forgery (aka cross-site reference forgery) is a form of web application attack. The hacker tricks users through malicious requests into running tasks they do not intend to execute. Therefore, the webserver needs a mechanism to determine whether a legitimate user generated a request via the user’s browser to avoid such attacks. A CSRF token helps with this by generating a unique, unpredictable, and secret value by the server-side to be included in the client’s HTTP request. When the subsequent request is made, the web server validates the request parameter that contains the token and rejects those that don’t. The approach is commonly used to prevent CSRF attacks since it is almost impossible for the hacker to construct a complete, valid HTTP request to ambush a victim.
We discussed earlier how cross-site scripting vulnerabilities are among the most common forms of attacks involving the execution of malicious code on a victim’s browser. Though a CSRF may sound similar to XSS attacks, there are fundamental differences in how they are carried out.
Read the original article: