Penguicon 2006

Cross Site Request Forgery :: Primer

Cross Site Request Forgery :: Primer

• HTTP: Stateless - server does not know the relation from one request to the next. (will discuss more in Sessions)
• How a web browser views a page:
• • User types url, and browser retrieves the [entry point] HTML for the page.
  1. GET /index.html HTTP/1.1
  • Browser parses HTML
  1. <html><body>
  2. Here is a picture of me:
  3. <img src="hackergotchi.png"></img></body>
  • Browser sends requests for each additional file required for page.
  1. GET /hackergotchi.png HTTP/1.1