"This server is vulnerable to a cross-site request forgery attack. Append each request with CSRF token or SameSite cookie attribute."
A cross-site request forgery (CSRF) is an attack that instigates the user to unintentionally send a request to a web application against which it is authenticated. CSRF attacks exploit the trust a web application has in an authenticated user.
CSRF attacks are often targeted, using social engineering, such as:
When a user logs in to a web application, the attacker prompts them to click a URL containing an unauthorized request for a specific web application. The user’s browser then sends this maliciously crafted request to a targeted web application, including session information such as session cookies or stored credentials. If the user is in active session with a targeted web application, the application will process this new request as an authorized user-initiated request. Consequently, allow the attacker to exploit the CSRF vulnerability of the web application.
The level of the attack depends on the level of privileges that the victim possesses. CSRF attack does not directly steal the users’ identity, instead, it exploits the user to carry out actions without their will.
A successful CSRF attack force user to perform the state-changing request, such as:
To prevent a CSRF attack:
Older browsers may fail to support the recently introduced SameSite cookie.
DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.
©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.
이 사이트는 쿠키 및 기타 추적 기술을 사용하여 탐색 및 피드백을 제공하는 기능을 지원하며 제품 및 서비스의 사용을 분석하고 프로모션 및 마케팅 활동을 지원하며 타사의 콘텐츠를 제공합니다. 자세한 내용은 쿠키 정책 및 개인 정보 취급 방침에서 알아보십시오.