In this post, I decided to dissect two common security vulnerabilities that exist on the web and along the way highlight some browser security model intricacies.
CSRF (Cross Site Request Forgery) can be explained with a simple example as follows:
1. User visits a malicious website M.
2. M embeds an image tag on its page, that invokes, say, a URL that transfers money to another account from the user’s account. If the user was logged into his bank account when he loaded M’s page, the transfer would happen.
How do you prevent such a CSRF attack? One way is to embed some data in the FORMs, like a hidden parameter and verify the presence of it when the form is received on submission. This will ensure only forms generated by the site, bank – in this case, will be accepted.
XSS (Cross Site Scripting) can be explained with an example as follows:
2. The URL is sent to the targetted user via email or through other means.
You may ask, how can a js file downloaded from a third party site have access to V’s DOM or page, isn’t it cross domain which is not allowed? No, this is allowed as the js download request was on the page downloaded from V. This is how things like optimizely or CDNs work, the script downloaded from optimizely or CDNs can modify content on the page downloaded from V.