312-50V10 · Question #739
While performing online banking using a Web browser, a user receives an email that contains a link to an interesting Web site. When the user clicks on the link, another Web browser session starts and
The correct answer is C. Cross-Sire Request Forgery. Cross-Site Request Forgery (CSRF) exploits an authenticated browser session by tricking the user into loading a malicious resource that silently issues forged requests to a trusted site using the user's existing session credentials.
Question
While performing online banking using a Web browser, a user receives an email that contains a link to an interesting Web site. When the user clicks on the link, another Web browser session starts and displays a video of cats playing a piano. The next business day, the user receives what looks like an email from his bank, indicating that his bank account has been accessed from a foreign country. The email asks the user to call his bank and verify the authorization of a funds transfer that took place. What Web browser-based security vulnerability was exploited to compromise the user?
Options
- AClickjacking
- BCross-Sire Scripting
- CCross-Sire Request Forgery
- DWeb form input validation
How the community answered
(49 responses)- A4% (2)
- B8% (4)
- C73% (36)
- D14% (7)
Why each option
Cross-Site Request Forgery (CSRF) exploits an authenticated browser session by tricking the user into loading a malicious resource that silently issues forged requests to a trusted site using the user's existing session credentials.
Clickjacking overlays invisible UI elements to trick users into clicking something other than what they see; this scenario involves no hidden UI layer or deceptive click target - the malicious action is triggered automatically by loading the page.
Cross-Site Scripting (XSS) injects malicious scripts into a trusted web page that execute in the victim's browser; this scenario does not involve injecting code into the banking site itself.
In CSRF, the attacker crafts a malicious link or page that, when loaded by an authenticated user, causes the user's browser to send unauthorized HTTP requests to a target site - in this case the bank - using the user's active session cookie. The bank cannot distinguish the forged request from a legitimate one because it carries valid credentials. The cat video serves as a decoy while the forged transaction executes in the background using the user's authenticated banking session.
Web form input validation is a defensive control that sanitizes user-supplied data before processing; it is not an attack vector and is unrelated to the session-hijacking mechanism described in this scenario.
Concept tested: Cross-Site Request Forgery session-based attack mechanism
Source: https://owasp.org/www-community/attacks/csrf
Topics
Community Discussion
No community discussion yet for this question.