Message from JavaScript discussions
January 2018
— Oh yes, forgot
Https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) very good read for anyone integrating auth systems into their app
— Even if you don't write any auth code yourself, there are still a lot of places that are easy to accidentally open a hole in the app infrastructure
— Thanks
— "Prevention measures that do NOT work" is a good section
— (cookie1=expires in 6h)(cookie2=expires in a week)(cookie3=exipires in a month)... so if img got these, attacker get 3 cookies and tries to access site next day, session doesnt work, see
— Attacker does not get the cookie
— There is no "next day"
— Your browser runs the code to load an image and then makes a request to your app server, browser auto-sends a cookie to your app server, and suddenly now your app server is doing whatever is described in the img tag's query string
—
<img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="0" height="0" border="0">
example from that page
— That is the whole attack right there, nothing more
— There are a lot more ways to do CSRF but that's the easiest