CSRF Forgeries

Related #

The Problem: fc #

1. Man in the middle attack, hacker tricks client to believe that his/her machine is the actual server or sends email with link to initial a transaction on original site.
2. CSRF client tricks server to believe that it is the intended client.

   1. Assuming that the user is currently accessing “http://bank.com”, logged in

   2. Also user has opened a malicious website, which is similar to the bank.com, that has below content

   3. 

   4. 

The solution: #

1. Make it mandatory for client to also send an additional token, which server validates, along with every post request
2. Server sends this token to intended client as HTTP response

<form action="" method="post">
% csrf_token %
</form>

  3.  Although this token is present in the HTML sent to the intended client, the Malicious website cannot access it because of Same-Origin Policy. Note: for more details check CSRF protection (in Django)