- You're signed in to website A
- You open a new tab and visit website B. Website B is a malicious website (or is a trusted website which has the potential of being malicious because of allowing user generate content-UGC).
- Website B has an image tag (not necessarily, but the simplest to inject via UGC) which points to a predictable URL on website A. For example, <img src="http://www.a.com/account/delete?confirm=yes" /> which basically deletes your account on website A.
- Your browser will try to fetch the "image" from website A, merrily sending your session cookie along with the request. And BOOM! On website B you don't get the image ('cuz there is none) but your account has just been deleted from website A.
This is the simplest scenario I've explained. Read the Wikipedia article CSRF to understand how it can be executed in a variety of ways and situations.
Over the past year or so I've been going ga-ga over RESTful architecture and stateless servers. I've tried making URLs predictable and discoverable. Personally, I click on the "keep me signed in" checkbox whenever on browsing the web on my laptop. This just turns my world around!
Does it mean that we now need to make sure we're not signed-in to one site while visiting another? Or that all web applications now have to be stateful and URLs have to be non-predictable? Which means that while generating a page the webserver will have to add a random token to each URL and validate that when the browser requests the URL? The horror!
Any thoughts, anyone? This sounds like impending doom!
