The relationship between fake cross-site request and login

Question

The relationship between fake cross-site request and login

I was wondering if there is any connection between login and cross site request? My question is, are there sites that do not have a username but still require CSRF protection? Can you give an example

+3

csrf csrf-protection

user502490 May 20 '12 at 7:30

source share

2 answers

Ja͢ck · Answer 1 · 2012-05-20T07:49:01+0000

In order for CSRF to be effective, your site just needs to be able to act on behalf of someone so that it does not require explicit authentication or verification.

Subscribe to users using automatically connected cookies, these are the most popular CSRF attacks, but, for example, newsletter subscription forms can be just as vulnerable and can cause people to receive unwanted emails from your system to confirm their subscription.

So, to answer your question, although login and CSRF are related to each other, they are not exclusive to each other.

Gumbo · Answer 2 · 2012-05-22T10:44:51+0000

CSRF attacks use the authenticity of client requests, since the attacking site is able to fake requests made by the client on behalf of the client, and thus enjoy the trust of servers in client requests. Thus, the server assumes that any request from the client implies the behavior of the user controlling the client. CSRF uses this implicit trust.

, . , , CSRF . , , , (, , , ..).

The relationship between fake cross-site request and login

More articles: