Cross-Site Request Forgery, aka CSRF (pronounced Sea-Surf), is a security vulnerability that goes by many names. You might know it better as XSRF, side-jacking, session riding and maybe even the "one-click attack." No matter what name it goes by, CSRF is a serious exploitation of trust. It preys on a Website's trusted (and supposedly authenticated) users and cleverly allows them to be the ones who unknowingly initiate unauthorized actions or requests. From the point of view of the attacked site, it looks as though the user is the attacker when, in fact, at best he's probably an unwitting accomplice.
There are a number of reasons that someone would want to launch a CSRF attack and each has its own unique impact. CSRF attacks are nothing new.In fact, websites have been vulnerable to this attack since the beginning of the World Wide Web. CSRF is also an easy vulnerability to overlook.More »A Cross-Site Request Forgery attack can be initiated from a second site, without using Cross-Site Scripting. Launching an attack from a second site lifts any restrictions attackers may have on the HTML code they're allowed to use in the attack. It allows attackers to freely use things like forms, IFRAMEs and Javascript to perform the CSRF attack.More »Cross-Site Request Forgery attacks on your site can also occur in conjunction with XSS breaches. The severity of the CSRF attack is dependent on the severity of the vulnerability in your Ruby code.More »
