Web Application Threats - Cross-Site Request Forgery (CSRF) Attack
also known as a one-click attack, occurs when a hacker instructs a user’s web browser to send a request to the vulnerable website through a malicious web page.The victim holds an active session with a trusted site and simultaneously visits a malicious site, which injects an HTTP request for the trusted site into the victim user’s session. (P.1799/1783)
Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests, for example, can all work without the user's interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account.
SSRF are not even covered by module 14 - web server attacks!?
https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
-> It´s a direct attack on the Webserver, no "victims browser" is part of that attack
I think the "B" (SSRF) would be the correct answer here.
"Cross-Site Request Forgery and Server-Side Request Forgery both exploit the webserver. However, only SSRF exploits are actually designed to attack the target.
The target of a CSRF attack is the user. While it is accomplished using flaws in how the web application is designed, its purpose is to perform legitimate but unauthorized actions on the user’s account with the web-based service.
SSRF forgery, on the other hand, is designed to primarily target the server. While, in the long run, the attack may affect users of the service, the primary purpose of the attack is theft of sensitive information on the server or exploiting other vulnerabilities by using SSRF to bypass input validation countermeasures."
https://resources.infosecinstitute.com/topic/the-difference-between-cross-site-and-server-side-request-forgery/
For SSRF the attacker sends the request with a crafted code, but not related to the authentication, this is a key word.
For CSRF, the user sends the request with the malicious code after the attacker tricked him or her. This is the valid answer.
is B the correct Answer:
https://www.microfocus.com/documentation/silk-performer/195/en/silkperformer-195-webhelp-en/GUID-FEFE9379-8382-48C7-984D-55D98D6BFD37.html
I attach , the explanation . I agree the answer thats correct!!!
https://www.welivesecurity.com/la-es/2015/04/21/vulnerabilidad-cross-site-request-forgery-csrf/
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Scryptic
Highly Voted 2Â years, 1Â month agoANDRESCB1988
Highly Voted 2Â years, 3Â months agotomorrow9151
Most Recent 1Â year agoDaniel8660
1Â year agodinonino
1Â year, 1Â month agovolatile
1Â year, 4Â months agofreho
1Â year, 4Â months agoGerasz87
1Â year, 6Â months agojosevirtual
10Â months, 2Â weeks agonick526
1Â year, 8Â months agoKumaraRashu
1Â year, 8Â months agoegz21
1Â year, 9Â months agoegz21
1Â year, 9Â months ago