Log In / Register
What is Cross Site Request Forgery? and How does 3rdKey.com prevent it?

This can be confused with Cross-Site Scripting (XSS), the effect is about the same, but the method is quite different.

In Cross-Site Scripting (XSS) the scumBag.net virus site has stolen Dave's log in by reading goodSite.com's cookies (see XSS for more)

in Cross Site Request Forgery (CSRF) scumBag.net "guesses" that Dave is logged in to goodSite.com, and sends it instructions.

How Cross Site Request Forgery (CSRF) works

scumBag.net sends out spam email to everyone in the UK, that looks like its from LastCityBank.com

The email is advertising a discount at SendFowersToYourMum.net for LastCityBank.com customers

Dave clicks on the link to SendFlowersToYourMum.net because its his mum's birthday, and it sounds like a great deal

On arriving at SendFlowersToYourMum.net, none of the links seem to work, so Dave goes away and finds another florist.

But it turns out that SendFlowersToYourMum.net, as a part of the scumBag.net network, sent a request to LastCityBank.com to transfer £1000 to a bank account in Mauritius

If Dave was not logged in at the time, no harm done,

but if he was logged in, well he might have just been relieved of £1000

At least mum got some flowers

What can be done to stop this?

We can't speak for LastCityBank.com, but most real banks have blocked this, by asking you to verify the transfer via your phone, or an app, or email

3rdKey.com creates a special "token" for every web page, and any request must have that "token" in order for us to process it. Additionally, we keep some data in sessionstorage so scumbag.net doesn't have the information it needs to fool us.

So scumbBag.net can never "fake" a request at 3rdKey.com


 
Home Log In Register FAQ