Transfer of funds from the Bank
Disruption of the normal sequence of the site
Some Requirements Of Exploiting CSRF
Make sure that the slave has SESSION \ COOKIE on the target site.
the slave must be identified by the network protocol verification (HTTP Authentication)
Image tag does not require clicking the link compared Tag-A requires clicking on the link to activate the HTTP request.
Nature of browsers is to send HTTP requests to visual objects such as picture or remote files (CSS, JS, etc.) even while loading the page without the user’s permissions. This means the user does not need to perform any action in order to see the image on the page, all he has to do is go to a certain site-specific browser sends HTTP requests to have to load the image. In this case, since the browser recognizes the HTML code of the image tag, it sends HTTP requests to load the image even if the SRC of the image is not really a picture, but a malicious link …
What I want to check in my user control panel is the parameters are sent as a request to the HTTP server when I’m updating my home page via the user control panel.
There are a variety of fields that can be updated, such as an address, phone, email, name, content, and most importantly for this example: The favorite website\home page address.
These parameters are sent to the server when updating my website address. So it seems to Firebug:
These parameters are sent to the server using the POST method. So we do not see the parameters in the URL address. But, if the parameters will be written via getting method, the data will send? Let’s see.
How to prevent?
Except from one: Tokens.
The token This is a hidden random ID responsible for sending structured data, such as logging into forms, forms that allow registered users to update data or home page(in our case )
Don’t forget to delete your cookies.
Use tokens(Captcha is safer).
When you built your php site, don’t use GET \ REQUEST super-global variables.