How to avoid 15 worst coding errors of all time: #9 Cross-Site Request Forgery (CSRF)

This coding error is very specific and applies to Web applications that allow users to submit data using the HTTP POST method, which is usually used when you log in to a Web application, complete any forms or upload files. More precisely, Cross-Site Request Forgery (CSRF) is a security weakness where a web application doesn't properly check if a POST request was intentionally made by the user.

A Web application which is vulnerable to CSRF would let attackers trick users into performing actions they didn't intend to, like changing their email or password, without them knowing. This can happen when a user is logged into a website and then visits a malicious website or clicks a link that maliciously sends a request to the first website on the user's behalf (i.e. with the user's authentication cookie for example).

To prevent CSRF, websites need to require unique tokens for every POST request, or a special HTTP header, which would need to be checked for every POST request received. If the application receives a POST request that does not contain the right token or header, the POST request must be ignored to prevent CSRF and protect the application's users.

#securecoding #pentesting #webapps