geek on the web tech

Hacking websites: cross site request forgery

There are three major ways to hack a website: sql injection, cross site scripting and cross site request forgery. I published a post about sql injection and cross site scripting recently and now let’s see what this third attack is all about.

Tom Scott explains that for this third attack to work a malitious hacker needs to copy the form from your bank account, for example, into a fake website, hide that form and then trigger it every time you access that site or interact with it.

The way the webdevelopers are fighting against this is by creating a token in the same page as the form and then send that token with the form data once you click the submit/go button.

If someone copies that token and then tries to use it later on, his form won’t be accepted. The token updates each time the page the form is on is refreshed and it is unique to the user, ip, and current time.

A very neat trick to keep bad guys away from our bank accounts, that is for sure!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.