Safer web forms with security tokens
Posted on November 15, 2009
A common issue with many web applications is their vulnerability for Cross-Site Request Forgery, or XSRF. It allows a hacker to send a malicious request to a website with an other user’s privileges. Here’s how it works:
- A hacker creates a page with a form that submits data to example.com.
- An administrator from example.com is tricked into visiting the page, the form is submitted using JavaScript.
- The data is handled by example.com as if it came from the administrator (because it did).
This allows a hacker to perform administrative tasks on example.com like editing pages or deleting users.
I'm ElbertF, a Dutch expat web developer living in Australia. I built websites for a living and work on experimental projects for fun.
