CSRF Attack allows Attacker User to trick the Web Application into thinking that he is the Victim User.

And then issuing an action (like changing Password) without Victim's knowledge.

But Attacker can't send HTTP Request to change Password to a Web Application directly from his Computer/Browser.

This is because his Browser doesn't have a Session Cookie that will automatically Authenticate him as a Victim User.

And without this Session Cookie Web Application wouldn't know who he is and will present him with a Login Form to

Authenticate him. And since Attacker doesn't know Victim's Password it will not be able to Login as a Victim in order to

change Victim's Password.

So the idea is that the HTTP Request to Web Application to change the Password must come from Victim's Browser.

Attacker must somehow trick the Victim to send HTTP Request to Web Application to change the Password.

Attacker can do that by persuading Victim to visit Attacker's Web Page (Web Page made by the attacker).

Attacker's Web Page will contain a Form that sends HTTP Request to a Gmail to change the Password.

Instead of creating a fake Web Page with a Form that generates HTTP POST Request, sometimes Attacker can simple send

a Link to the Victim as explained in Attacker's Link that sends HTTP GET Request. This can e done when Password can be

changed through HTTP GET Request instead of HTTP POST Request.

Attacker.html https://www.gmail.com/changepassword?newpassword=mynewpassword

</form>

Attacker's Link

Instead of creating a fake Web Page with a Form that generates HTTP Request, sometimes Attacker can simple send an

URL to the Victim as shown below.

This works when Password can be changed by sending HTTP GET Request since GET Request can be issued though a link.

Unlike HTTP POST Request that ca only be generated through the HTML Form.

Links can be created

● with <a> as text

● with <img> as image

Attacker can simply place this link inside a Comment on some Post or as a part of his ow Post.

When Victim clicks on a Text/Image Link HTTP GET Request is sent to Gmail together with Session Cookie to automatically

Authenticate User and change his Password.

Attacker's Link

Attacker knows that in order to change Gmail Password User must send HTTP Request in the following form

HTTP Request to change Password

https://www.gmail.com/changepassword?newpassword=mynewpassword

User will never have to actually type this in.

Instead Gmail will give him a Form where User can enter new Password.

When User presses Submit this HTTP Request will be generated in the background and sent to the Gmail Web Application.

Session Cookie will be automatically included into every HTTP Request that goes to www.gmailcom to Authenticate User.

So now if Attacker wants to change User's Password he simply needs to create similar Form and persuade Victim to

execute that Form from his Browser so that Session Cookie gets included into HTTP Request.

So Attacker creates Attacker's Web Page with a Form shown below.

When a Victim visits Attacker's Web Page that Web Page gets loaded into Victim's Browser.

When victim presses Submit Button on the Form, that is part of this Web Page, Form will send HTTP Request to Gmail.

Since this HTTP Request is now being sent from Victim's Browser Session Cookie will automatically get included into the

HTTP Request automatically Authenticating the User

Gmail will know that the action came from Authenticated User and will change the Password.

Although HTTP Request came from Authenticated User Gmail doesn't know that User did not want to perform this action.

Attacker.html https://www.gmail.com/changepassword?newpassword=mynewpassword

</form>