Cross-site request forgery (CSRF)

Software is written in a manner that it doesn’t accept cross-site requests?

Cross-site request forgery is an attack in which the JavaScript payload or link hosted on a third-party site performs an attack on behalf of the user of the targeted website.

The malicious third-party site loads JavaScript which makes AJAX requests to the target site where the user is logged in.

The software should be written using a framework which prevents HTTP POST submissions without the CSRF token. Any state-changing action (login, create, modify, delete) should not be an HTTP GET request.

Related incidences:

• Twitter
• Soho

Links:

• Cross-site request forgery (Wikipedia)
• Cross-Site Request Forgery (CSRF) (OWASP)
• Sending form data (Mozilla Developer Network)