Quality is delighting customers
Have you read https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) that article and its references? If you after that have more questions to ask, feel free to ask.
Security testing is often conducted by security testing services through a team of experienced testers specializing in networking and technology systems. The main purpose of security testing is to test for holes in authentication, the confidentiality of data, and how the system will react to a malicious attack.
CSRF(Cross-Site Request Forgery) is the most common type of web attack, it is also featured in the top 10 web attacks by OWASP. Using the CSRF is an attack where the user is tricked into executing some unwanted actions in a web application where they are currently authenticated.
Using a little help of social engineering user is tricked into clicking any link via phishing email, chat etc. If the victim is a normal user, a successful CSRF attack can force the user to perform state-changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
For most web applications, browser requests include authentication, such as the user’s session cookie, IP address, Windows domain credentials, and so forth. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim.
There are numerous ways a user can be tricked into submitting information to a web application.
Suppose you want to transfer $500 to someone using a Citibank com web application that is vulnerable to CSRF. Arun, an attacker, wants to trick you into sending you money to Arun instead. The attack will comprise the following steps:
Step1: Building an exploit URL or script
Step2: Tricking you into clicking the above with Social Engineering.
There can be multiple ways:
There are multiple automated security tools to perform the testing for the CSRF loopholes in the web applications like ZED Attack, Arachni BrupSuite, etc.