Exam CISSP topic 1 question 30 discussion

Answer is B Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application

Answer B A CSRF attack hinges on the use of social engineering. An attacker fools their victim by sending a link through a chat or email. When a victim is a user without admin privileges, the CSRF attack can make them do things like change an email address as it appears in the target site’s system, transfer funds from an account, change username information, and more. If the victim has administrator privileges, the CSRF attack can be used to alter the function of the web application itself https://www.fortinet.com/resources/cyberglossary/csrf

B is correct it uses social engineering and and web application to trick users

Hacker was able to steal cookies, then sending forged request to the server and pretending to be the actual user.

Answer: Cross site Request forgery https://www.imperva.com/learn/application-security/csrf-cross-site-request-forgery/#:~:text=CSRFs%20are%20typically%20conducted%20using,request%20from%20a%20forged%20one. CSRFs are typically conducted using malicious social engineering, such as an email or link that tricks the victim into sending a forged request to a server. As the unsuspecting user is authenticated by their application at the time of the attack, it’s impossible to distinguish a legitimate request from a forged one.

Answer B) https://owasp.org/www-community/attacks/csrf Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

existing browser session

The Answer is B. According to OWASP https://owasp.org/www-community/attacks/csrf Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Answer is B

B is correct

XSS attack does not take advantage of a victim's existing browser session. But CSRF does.

B not C. The success of an XSS attack isn’t based on the session activation. Corrupted payloads are delivered whenever the user accesses the website. CSRF demands an active session be completed. It mentions that "existing browser session" then should be CSRF attack.

I meant C doh!

Sounds like a reflected XSS attack to me Check out the mindmap video on it from efficient learning

XSS injects a malicious script into a vulnerable website in order to get a user's session cookies when they visit the compromised website. XSRF/CSRF on the other hand targets the user directly, it does not compromise any website and does not get session cookies. Hacker simply sends a URL of cute puppies and cats (for example) with invisible malicious code embedded. While you're scrolling through pictures of cute puppies the code is busy transferring funds from your account to the hacker.

I agree with B

B is correct answer. CSRF https://owasp.org/www-community/attacks/csrf Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.