Cross-Site Request Forgery (CSRF)

The Cross-site request forgery (CSRF) exploit uses cross-site scripting (mentioned above), browser insecurities, and other techniques to cause a user to unwittingly perform an action within their current authenticated context that allows the attacker to access the user’s account. This type of attack usually occurs when a malicious email, blog, or a message causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

Let’s assume https://www.SampleBankPortal.com has CSRF vulnerability. An attacker could setup a CSRF attack as follows.

Attacker setup’s a 1X1 Pixel on https://www.malicioussite.com which fails to load and goes unnoticed by a victim entering this site. This Pixel has the following code:

<img src="https://www.SampleBankPortal.com/fundTransferRequest?amount=$1500&destinationAccount=12345>

If the victim has pre-logged in on www.SampleBankPortal.com on his browser before visiting the malicious Site, browser would auto execute the script within the img tag and the server side for exampleBankPortal would execute this request considering it has been generated from a pre-authenticated user session! Prevention Measures

Include a unique unpredictable runtime generated token in a hidden field for all requests to the server. This causes the token value to be sent in the body of the HTTP request and avoids its inclusion in the URL. The server would then validate such token before executing the request.
Require users to re-authenticate when performing critical sensitive operations can be another measure to prevent CSRF.
Have strong measures for re-authentication such as Captcha, 2 step verification processes to exclude BOT activity.