daohualiuxiang
/
AspNetCore.Docs
mirror of https://github.com/dotnet/AspNetCore.Docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add clarification to scenario in anti-request-forgery.md (#6659)

pull/6994/head
Matt Brooks 2018-06-11 23:47:30 +01:00 committed by Luke Latham
parent 984ae1618c
commit a72ae45423
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
aspnetcore/security/anti-request-forgery.md
View File

@ -38,11 +38,13 @@ An example of a CSRF attack:
1. The user selects the submit button. The browser makes the request and automatically includes the authentication cookie for the requested domain, `www.good-banking-site.com`.
1. The request runs on the `www.good-banking-site.com` server with the user's authentication context and can perform any action that an authenticated user is allowed to perform.
When the user selects the button to submit the form, the malicious site could:
In addition to the scenario where the user selects the button to submit the form, the malicious site could:
* Run a script that automatically submits the form.
* Sends a form submission as an AJAX request.
* Use a hidden form with CSS.
* Send the form submission as an AJAX request.
* Hide the form using CSS.
These alternative scenarios don't require any action or input from the user other than initially visiting the malicious site.
Using HTTPS doesn't prevent a CSRF attack. The malicious site can send an `https://www.good-banking-site.com/` request just as easily as it can send an insecure request.