I will go to the OWASP Top 10 2007 and 2010 list .
I came across Cross Site Request Forgery (CSRF), this is often called a riding session, as you allow the user to use his session to fulfill your wishes.
Now this solution adds a token to each URL, and this token is checked for every link.
For example, to vote for product x, the URL would be:
'http://mysite.com?token=HVBKJNKL'
This seems like a hard decision because a hacker cannot guess a token.
But I was thinking about the following scenario ( I do not know if this is possible ):
You are creating a website with a hidden iFrame or div. After that, you can load my site in it either using regular iFrame or ajax.
When you have loaded my site on your website and the user has a saved session, you can do the following. You can extract the token from the URLS and perform all the necessary actions.
Is it possible to do something like this. Or it is impossible to do for this cross-domain.
source
share