312-50V11 · Question #122
Cross-site request forgery involves:
The correct answer is C. A browser making a request to a server without the user's knowledge. CSRF exploits the trust a web server has in a user's authenticated browser, tricking it into submitting unauthorized requests without the user's awareness.
Question
Cross-site request forgery involves:
Options
- AA request sent by a malicious user from a browser to a server
- BModification of a request by a proxy between client and server
- CA browser making a request to a server without the user's knowledge
- DA server making a request to another server without the user's knowledge
How the community answered
(33 responses)- B3% (1)
- C94% (31)
- D3% (1)
Why each option
CSRF exploits the trust a web server has in a user's authenticated browser, tricking it into submitting unauthorized requests without the user's awareness.
A malicious user deliberately sending requests from their own browser describes a direct unauthorized access attempt, not CSRF, which requires the victim's own authenticated browser to be the unwitting vehicle.
An intermediary altering traffic in transit describes a man-in-the-middle (MITM) attack, which is a distinct attack class that does not rely on the victim's browser being tricked into initiating requests.
In CSRF, an attacker crafts a malicious link or embedded resource that causes the victim's browser to automatically send an authenticated HTTP request to a target server without the user's knowledge or intent. The browser transparently includes session cookies or credentials, making the server treat the forged request as legitimate. This distinguishes CSRF from XSS - CSRF exploits the server's trust in the authenticated browser, not the browser's trust in a script.
A server making unauthorized requests to another server describes Server-Side Request Forgery (SSRF), a separate vulnerability class where the exploit targets server-to-server communication rather than browser-to-server.
Concept tested: Cross-site request forgery (CSRF) attack mechanism
Source: https://owasp.org/www-community/attacks/csrf
Topics
Community Discussion
No community discussion yet for this question.