A user visits an online bank website that has basic financial features. While the user wishes to transfer money from his account to another account, he visits the malicious website designed by the attacker. The image tag in the malicious website looks like this:
When you visit a web page like this, the browser automatically execute every tag even though it is not visible to the normal user. Because user is still authenticated to the bank website, browser will send the command that transfers money to the attacker’s account.
This 5-minute video shows such a cross-site request forgery attack on a WordPress server. Note that the server is modified to demonstrate the attack. The video does not claim that the actual WordPress server is vulnerable.
There are several ways to prevent this attack for both users and developers. For instance, logging off immediately after using a web application will minimize the risk. However, the most user friendly way is using user-specific and unpredictable CSRF tokens. Using random tokens per user, or per request, makes the attack harder to exploit.
Prepared by Cansın Yıldırım.