Cross-Site Request Forgery (CSRF)


Today i will explain another way of how hackers hack people accounts but first let's what is CSRF?

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRFattacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.
Which means if a user is login in a website which have CSRF vuln(vulnerability) and attacker wants to change the password of his target victim (user) then attacker will force him to do it.
now you are saying that how did he will force him to do ?
actually he will not force him to do this, he will make him fool and he will gonna creates an form (html form) and then executes to change his password.
For Example:
That vulnerable website have password change/update form have HTTP POST request (it's actually depends on the web dev how did he made it i mean some websites also have GET method to update password or login user) lett's suppose that form have
1 inputs field which is "Enter new Password" with Submit form button (the button like update password etc)
Html form code:
<form action="http://example.com/postrequesturl/to/updatepass/" method="post"> <input name="new_pass" placeholder="Please Enter New Password" type="password"></input><br /> <input type="submit" value="Update Password"></input> </form>
And now how did the attacker will force him to change his password without let him knowing about it.
First he will use some tools like Burpsuite to generate his CRSFTester and his code to change password will be looks like this:
<html><form enctype="application/x-www-form-urlencoded" method="POST" action="http://example.com/"><table><tr>
<tr><td>new_pass</td><td><input type="text" value="hackmyaccount" name="new_pass"></td></tr>
</table><input type="submit" value="changepassword"></form></html>


And when he(attacker) gonna click on button then BOOM! (lol) his got his victim account :)
So this how was another way to hack people accounts...
CSRF vulnerability sometimes too dangerous because some sites like bank sites or shopping sites hackers can use this method to hack or buy stuff from user accounts :)
But password changing way isn't mostly coz some websites also ask for current password.
I hope you understands it well.