CSRF stands for Cross-site request forgery. It is a technique hackers use to hack into a web application.
- Assume you are currently logged into your online banking at
www.mybank.com
- Assume a money transfer from
mybank.com
will result in a request of (conceptually) the formhttp://www.mybank.com/transfer?to=<SomeAccountnumber>;amount=<SomeAmount>
. (Your account number is not needed, because it is implied by your login.) - You visit
www.cute-cat-pictures.org
, not knowing that it is a malicious site. - If the owner of that site knows the form of the above request (easy!) and correctly guesses you are logged into
mybank.com
(requires some luck!), they could include on their page a request likehttp://www.mybank.com/transfer?to=123456;amount=10000
(where123456
is the number of their Cayman Islands account and10000
is an amount that you previously thought you were glad to possess). - You retrieved that `ww