发表新帖
发表新帖

Why bother requiring CSRF token on POST requests?

后端 未结
关注
3 927
轮回少年
轮回少年 2021-01-16 21:12

My understanding is that CSRF prevents an attacker using an tag to get the victim\'s browser to send a request that would be authenticated using the

3条回答
  • 天命终不由人
    天命终不由人 (楼主)
    2021-01-16 21:47

    Having done some further investigation:

    It's possible for the attacker to host a

    on their own site which submits to the target site (your site). All they need to do is get the victim to submit this form and it'll be submitted with their cookies and potentially their authentication.

    It's also possible for the attacker to inject an