CSRF arises because of a problem with how browsers treat cross origin requests. Take the following example: a user logs into site1.com and the application sets a cookie called âauth_cookieâ. A user then visits site2.com. If site2.com makes a request to site1.com, the browser sends the auth_cookie along with it.
Normally this doesnât matter, if itâs a GET request then the page is served, and the same-origin policy stops any funny business. But what if site2.com makes a POST request instead? That request came from the same computer as the valid session and uses the correct authentication cookie. Thereâs no way to tell the difference, and any state-changing operation can be performed.
During the course of a recent penetration test I noticed that, on the application I was assessing, admins had the ability to add web pages: a pretty reasonable action for the site in question. Unfortunately, the action of adding a page was vulnerable to CSRF. My pen test attack not only created a new page, but also stole administrative credentials from the site, using some unorthodox HTML.
Now, the start of any CSRF attack is always the payload. The first thing to note here is that when an iframe loads, it sends a GET request to whatever is specified in the âsrcâ parameter. Normally this is a standard page, and the content is displayed. But what if you framed a âlog-offâ page which invalidated your authentication cookie and then redirected you back to âindex.htmlâ?
Well, turns out it does exactly what it says on the tin, but, importantly, it doesnât redirect the entire page, only the contents of the iframe. The following code logs a user out without causing a redirect, so any malicious JavaScript injected will still execute.
Source: Tackling cross-site request forgery (CSRF) on company websites
Rethinking Cross-Site Request Forgery in Light of Big Data