nerdexam
EC-Council

312-50V10 · Question #122

Cross-site request forgery involves:

The correct answer is C. A browser making a request to a server without the user's knowledge. CSRF causes a victim's authenticated browser to unknowingly send a forged request to a trusted server, abusing the browser's automatic credential attachment.

Hacking Web Applications

Question

Cross-site request forgery involves:

Options

  • AA request sent by a malicious user from a browser to a server
  • BModification of a request by a proxy between client and server
  • CA browser making a request to a server without the user's knowledge
  • DA server making a request to another server without the user's knowledge

How the community answered

(16 responses)
  • A
    6% (1)
  • C
    88% (14)
  • D
    6% (1)

Why each option

CSRF causes a victim's authenticated browser to unknowingly send a forged request to a trusted server, abusing the browser's automatic credential attachment.

AA request sent by a malicious user from a browser to a server

A request sent directly and knowingly by a malicious user describes a standard direct attack or social engineering action, not CSRF, which requires the victim's own authenticated browser to be the request origin.

BModification of a request by a proxy between client and server

Modification of a request by an intermediary proxy describes a man-in-the-middle attack, which is a distinct threat model involving interception rather than browser-side request forgery.

CA browser making a request to a server without the user's knowledgeCorrect

CSRF works by embedding a forged request in a page or resource the victim visits, causing their browser to automatically include valid session cookies or credentials when the request is sent to the trusted target server. The server receives what appears to be a legitimate authenticated request and acts on it without the user's awareness or intent. The attack succeeds because browsers attach stored credentials to same-domain requests regardless of which page initiated them.

DA server making a request to another server without the user's knowledge

A server making a request to another server without user knowledge describes Server-Side Request Forgery (SSRF), a separate vulnerability class from the client-side browser-based mechanism of CSRF.

Concept tested: Cross-site request forgery mechanics and definition

Source: https://owasp.org/www-community/attacks/csrf

Topics

#CSRF#cross-site request forgery#browser security#web attacks

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice