nerdexam
EC-Council

312-50V11 · Question #122

Cross-site request forgery involves:

The correct answer is C. A browser making a request to a server without the user's knowledge. CSRF exploits the trust a web server has in a user's authenticated browser, tricking it into submitting unauthorized requests without the user's awareness.

Hacking Web Applications

Question

Cross-site request forgery involves:

Options

  • AA request sent by a malicious user from a browser to a server
  • BModification of a request by a proxy between client and server
  • CA browser making a request to a server without the user's knowledge
  • DA server making a request to another server without the user's knowledge

How the community answered

(33 responses)
  • B
    3% (1)
  • C
    94% (31)
  • D
    3% (1)

Why each option

CSRF exploits the trust a web server has in a user's authenticated browser, tricking it into submitting unauthorized requests without the user's awareness.

AA request sent by a malicious user from a browser to a server

A malicious user deliberately sending requests from their own browser describes a direct unauthorized access attempt, not CSRF, which requires the victim's own authenticated browser to be the unwitting vehicle.

BModification of a request by a proxy between client and server

An intermediary altering traffic in transit describes a man-in-the-middle (MITM) attack, which is a distinct attack class that does not rely on the victim's browser being tricked into initiating requests.

CA browser making a request to a server without the user's knowledgeCorrect

In CSRF, an attacker crafts a malicious link or embedded resource that causes the victim's browser to automatically send an authenticated HTTP request to a target server without the user's knowledge or intent. The browser transparently includes session cookies or credentials, making the server treat the forged request as legitimate. This distinguishes CSRF from XSS - CSRF exploits the server's trust in the authenticated browser, not the browser's trust in a script.

DA server making a request to another server without the user's knowledge

A server making unauthorized requests to another server describes Server-Side Request Forgery (SSRF), a separate vulnerability class where the exploit targets server-to-server communication rather than browser-to-server.

Concept tested: Cross-site request forgery (CSRF) attack mechanism

Source: https://owasp.org/www-community/attacks/csrf

Topics

#CSRF#web application attacks#cross-site request forgery#browser requests

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice