312-50V10 · Question #122
Cross-site request forgery involves:
The correct answer is C. A browser making a request to a server without the user's knowledge. CSRF causes a victim's authenticated browser to unknowingly send a forged request to a trusted server, abusing the browser's automatic credential attachment.
Question
Cross-site request forgery involves:
Options
- AA request sent by a malicious user from a browser to a server
- BModification of a request by a proxy between client and server
- CA browser making a request to a server without the user's knowledge
- DA server making a request to another server without the user's knowledge
How the community answered
(16 responses)- A6% (1)
- C88% (14)
- D6% (1)
Why each option
CSRF causes a victim's authenticated browser to unknowingly send a forged request to a trusted server, abusing the browser's automatic credential attachment.
A request sent directly and knowingly by a malicious user describes a standard direct attack or social engineering action, not CSRF, which requires the victim's own authenticated browser to be the request origin.
Modification of a request by an intermediary proxy describes a man-in-the-middle attack, which is a distinct threat model involving interception rather than browser-side request forgery.
CSRF works by embedding a forged request in a page or resource the victim visits, causing their browser to automatically include valid session cookies or credentials when the request is sent to the trusted target server. The server receives what appears to be a legitimate authenticated request and acts on it without the user's awareness or intent. The attack succeeds because browsers attach stored credentials to same-domain requests regardless of which page initiated them.
A server making a request to another server without user knowledge describes Server-Side Request Forgery (SSRF), a separate vulnerability class from the client-side browser-based mechanism of CSRF.
Concept tested: Cross-site request forgery mechanics and definition
Source: https://owasp.org/www-community/attacks/csrf
Topics
Community Discussion
No community discussion yet for this question.