• A request generated from a user’s browser without the user’s knowledge
• Relies on web site trust of logged-in users
• An attack involves tricking a user into transmitting ‘bad’ html with a request, which then returns sensitive data to the attacker
• Executed via iframes, xmlhttprequest calls or embedded in tags such as <script>, <object>, <embed>, <img>, …
Example
<form name="myForm"> <input type="hidden" name="item_id" value="123" /> <input type="hidden" name="quantity" value="1" /> </form> <script>document.forms['myForm'].submit();</script>
Counter Measures
• Use a unique form token in a hidden input field to verify the request
• Require re-login before sensitive operations (ex: financial)