.png)
1 year ago
110 BOOK THIS SPACE FOR AD
ARTICLE ADFor those of you who are unfamiliar with CSRF, it works as follows:
Eve is aware that Alice banks at “www.mybank.com."
Eve visits mybank.com and notices that the url for money transfers looks like “www.mybank.com/transfer.php?to='bob'&amount=100."
Eve realises that if Alice followed the link “www.mybank.com/transfer.php?to='eve'&amount=99999999999," Eve would receive $99999999999.
However, if Eve simply sent a link to Alice, she would quickly realise that she had just given Eve a shitload of money.
Instead, Eve sends Alice an image with the following html: “”.
Let’s start taking a look at what is happening from the browser’s perspective:
1.) Look at that, an image.
I’ll get it from “www.mybank.com/transfer.php?to='eve'&amount=99999999999"!
2.) Mybank.com failed to return an image.
I’ll make use of the alt text.
3.) Render alternative text
Alice will see “Oh noes, the image didn’t load!”, while $99999999999 is sucked out of her account.
Most banks and social networks protect against CSRF now, so the danger *seems* small. Watch as I show you how it could get your internet service suspended, have lawsuits filed against you, and much, much more.
What can you do to protect yourself, you might wonder?
The answer is nearly nothing.
1. Disabling JavaScript may help a little, but the broken tags continue to function.
2. There are literally thousands of ways to force your browser to make a GET request.
3. It’s impossible to block them all.
4. Right now, almost no one is using CSRF to carry out this type of attack, but that’s because there’s nothing in it for them.
All it would take is one of your “friends” to point you to a single website, and your reputation would be ruined, and your internet service would be terminated.
It only takes one troll to post broken images on a popular forum.
How much time have you spent reading this article?
Enough time for your browser to make a few get requests, right?
Enjoyed reading this and want more content related to cybersecurity and pentesting? Follow me
Feel free to contact me on discord
nostalgia#1643
Bengali (Bangladesh) · 
English (United States) ·