Cross-Site Request Forgery (CSRF) that is also known as XSRF that refers to an attack which leads to the user to execute unwanted actions to the web application where they have access to it. Usually, it will look like a regular link to the web application. But the parameter will be manipulated it will make the HTTP request to the web application as attacker intended. It used to make state-changing requests such as to change the password, make account transactions. The social engineering method is used to influence the user to execute as attackers choosing. It may come as mail or a chat. As of the privilege increases the chance of compromising the application is high. If the victim is a standard user account, it will use for changing mail id password or even transfer fund. In case of the Administrator account; it will compromise the whole application.
Given below is an example of how the Cross-site Request Forgery (CSRF) can be used to abuse the user in GET request using the < img> tag.
The attacker can generate a custom attribute like the above example and include it in the website that was controlled by the attacker. When the user opens the malicious site, it will use the HTTP GET request to perform the password change while it was logged in. The user won’t notify the password change.
Cross-site Request Forgery in POST requests
The impact include:-
Beagle recommends the following fixes:-