Cross-site request forgery (CSRF or XSRF) is a malicious exploit, where unwanted actions are performed on behalf on an authenticated user. These actions can be sent via hidden forms, special image tags or JavaScript XMLHttpRequests, even without the user’s interaction or knowledge.
For example, an unsuspicious user is logged in to his favorite Blu-ray rental website, which has numerous vulnerabilities to CSRF. If the user visits an evil website, it could perform actions on the rental site such as: changing shipping address, adding a new movie to the queue or altering login credentials.
CSRF prevention
The most popular protection is the CSRF token, which is a unique, unpredictable string embedded into the website for each session. The server side uses this token to verify that the authenticated user is the one actually making the requests to the application.
