Update topics/threat/csrf.adoc

This commit is contained in:
Stian Thorgersen 2016-06-13 08:39:23 +02:00
parent 480f3aeb4a
commit 6ee7184f92

View file

@ -2,7 +2,7 @@
=== CSRF Attacks === CSRF Attacks
Cross-site request forgery (CSRF) is a web-based attack whereby HTTP requests are transmitted from a user that the Cross-site request forgery (CSRF) is a web-based attack whereby HTTP requests are transmitted from a user that the
web site trusts or has authenticated with(e.g., via HTTP redirects or HTML forms). Any site that uses cookie based authentication is vulnerable to these types of attacks. web site trusts or has authenticated with(e.g. via HTTP redirects or HTML forms). Any site that uses cookie based authentication is vulnerable to these types of attacks.
These attacks are mitigated by matching a state cookie against a posted form or query parameter. These attacks are mitigated by matching a state cookie against a posted form or query parameter.
The OAuth 2.0 login specification requires that a state cookie be used and matched against a transmitted state parameter. The OAuth 2.0 login specification requires that a state cookie be used and matched against a transmitted state parameter.