CSRF TESTER
CSRF ATTACK
Cross-Site Request Forgery (CSRF) is an attack in which the user gets deceived to execute an unwanted action on a web application.
This is how it works:
the user is logged to a web application (that could be a bank's website, like an example);
without logging out, the user visits another web page (the malware one) on another domain;
the malware website sends a request (via javascript) to the web application: because the user is still logged in to the web application, the browser will set the necessaries authentication cookies in the header of the request
the web application's backend will receive the request and it will execute the action (that could transfer money to another bank account, like an example).
Solution:
when the user sends a request to the web application to visit a web page, the backend will generate a secret token and it will add the token to the web page's DOM;
the web application's frontend will attach that token to any ajax request;
because the browser doesn't allow the javascript of web pages from other domains to access the DOM of our web page, web pages from other domains cannot send the right token;
the web application's backend will accept the request only if a proper valid token is attached to it.
Consult the documentation of the language and framework you are using to implement your web application accordingly to this.
TESTER
You can use the following form to send requests to your web application from another domain (this one) and verify that it is not CRSF vulnerable.
This web page will send the request using javascript.
You can check the source of this web page to verify that we won't execute any real malware attack.
URL
GET
POST
PUT
DELETE