web-programming   15116

« earlier    

django - What is a CSRF token ? What is its importance and how does it work? - Stack Overflow
"""
Cross-Site Request Forgery (CSRF) in simple words

Assume you are currently logged into your online banking at www.mybank.com
Assume a money transfer from mybank.com will result in a request of (conceptually) the form http://www.mybank.com/transfer?to=<SomeAccountnumber>;amount=<SomeAmount>. (Your account number is not needed, because it is implied by your login.)
You visit www.cute-cat-pictures.org, not knowing that it is a malicious site.
If the owner of that site knows the form of the above request (easy!) and correctly guesses you are logged into mybank.com (requires some luck!), they could include on their page a request like http://www.mybank.com/transfer?to=123456;amount=10000 (where 123456 is the number of their Cayman Islands account and 10000 is an amount that you previously thought you were glad to possess).
You retrieved that www.cute-cat-pictures.org page, so your browser will make that request.
Your bank cannot recognize this origin of the request: Your web browser will send the request along with your www.mybank.com cookie and it will look perfectly legitimate. There goes your money!

This is the world without CSRF tokens.

Now for the better one with CSRF tokens:

The transfer request is extended with a third argument: http://www.mybank.com/transfer?to=123456;amount=10000;token=31415926535897932384626433832795028841971.
That token is a huge, impossible-to-guess random number that mybank.com will include on their own web page when they serve it to you. It is different each time they serve any page to anybody.
The attacker is not able to guess the token, is not able to convince your web browser to surrender it (if the browser works correctly...), and so the attacker will not be able to create a valid request, because requests with the wrong token (or no token) will be refused by www.mybank.com.

Result: You keep your 10000 monetary units. I suggest you donate some of that to Wikipedia.

(Your mileage may vary.)
"""

Great explanation
security  web-programming  stack-overflow  great-explanations  eli5 
5 days ago by MarcK
Twitter
@webdesignledger : Helms Workshop Studio Gives Your Brand an Identity With Personality https://t.co/2VLHRKL3c7 (via Twitter http://twitter.com/webdesignledger/status/1019069537084375040)
Twitter  design  web  web-design  webdev  web-dev  web-development  layout  CSS  CSS3  HTML  web-programming  UI  UX  user  interface  user-interface  js  Javascript  how  howto  how-to  tu 
6 days ago by dcolanduno
Twitter
@webdesignledger : 4 Visually Powerful Website Image Hacks to Make a Splash on Launch Day https://t.co/4iTV9Oh3jK (via Twitter http://twitter.com/webdesignledger/status/1016532735467323394)
Twitter  design  web  web-design  webdev  web-dev  web-development  layout  CSS  CSS3  HTML  web-programming  UI  UX  user  interface  user-interface  js  Javascript  how  howto  how-to  tu 
13 days ago by dcolanduno
Twitter
@webdesignledger : The iOhouse Will Have you Living off the Grid in the Lap of Luxury https://t.co/lE1X9yvM7J (via Twitter http://twitter.com/webdesignledger/status/1015083702521663488)
Twitter  design  web  web-design  webdev  web-dev  web-development  layout  CSS  CSS3  HTML  web-programming  UI  UX  user  interface  user-interface  js  Javascript  how  howto  how-to  tu 
17 days ago by dcolanduno

« earlier    

related tags

animation  blog  chrome  css  css3  david  design  eli5  experience  extension  extensions  google  great-explanations  how-to  how  howto  html  image  inspiration  interface  javascript  jquery-plugin  jquery-plugins  jquery  jqueryui  js  layout  load  loader  loading  plug-in  plug-ins  plug  plugin  plugins  pre-load  pre-loader  preload  preloader  security  slide  slider  stack-overflow  tu  twitter  ui  usabil  user-experience  user-interface  user  ux  walsh  web-design  web-dev  web-development  web-experience  web  webdesign  webdev 

Copy this bookmark:



description:


tags: