CSRF Answers
CSRF Answers
CSRF attacks.
ANSWER:
Same site cookie has an attribute called Same-site whose value is strict, this is set by servers. The browser
won’t be sent along with cross-site requests hence the server will detect the absence of cookie and won’t
respond which eventually prevents the attack.
When a request is made the server-side checks and compares the two tokens, If the token is missing or
doesn’t match the value of user session, the request gets rejected while ending the and logging the event as
CSRF attack.
HTTPS is basically http but with encryption, the only difference between both protocols is that HTTPS uses SSL
to encrypt normal HTTP requests and responses. Which encrypts the traffic between server and client but it
doesn’t help much in detecting from where the information came from therefore CSRF attacks are still
possible.
ANSWER:
<script type="text/javascript"> window.onload =
function () {
var Ajax=null;
var sendurl="http://www.example.com/delete.php?pageid=5";
Ajax=new XMLHttpRequest();
Ajax.open("GET",sendurl,true);
Ajax.setRequestHeader("Host","www.example.com");
Ajax.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
Ajax.send();
</script>
var token="&__elgg_token="+elgg.security.token.__elgg_token;
var content=ts+token+"&pageid=5"; var samyGuid=47; //FILL IN
if(elgg.session.user.guid!=samyGuid)
{
QUESTION NO 12: Why cannot a web server use the referer header to tell
whether a request is cross-site or not?
ANSWER:
A web server can’t use a refer header server because a lot of servers remove refer header before sending
the request to respect the privacy of users.
Deny
Sameorigin
Allow-from.
(Allow-form: takes a list of sites that are permitted to place the page in an iframe)