Invalid and Manipulated Client Requests
Question
Which one of the following threat types to applications and services involves the sending of requests that are invalid and manipulated through a user's client to execute commands on the application under the user's own credentials?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.D.
A cross-site request forgery (CSRF) attack forces a client that a user has used to authenticate to an application to send forged requests under the user's own credentials to execute commands and requests that the application thinks are coming from a trusted client and user.
Although this type of attack cannot be used to steal data directly because the attacker has no way of seeing the results of the commands, it does open other ways to compromise an application.
Missing function-level access control exists where an application only checks for authorization during the initial login process and does not further validate with each function call.
Cross-site scripting occurs when an attacker is able to send untrusted data to a user's browser without going through validation processes.
An injection attack is where a malicious actor sends commands or other arbitrary data through input and data fields with the intent of having the application or system execute the code as part of its normal processing and queries.
The correct answer is D. Cross-site request forgery (CSRF), also known as session riding or XSRF, is a type of attack that involves the exploitation of a web application's trust in a user's authenticated session.
In a CSRF attack, a malicious actor crafts a request that appears to be legitimate and sends it to a user's web application through their browser, typically through a specially-crafted link or an email attachment. The user's browser then automatically includes their authentication credentials in the request, as the user is currently authenticated on the web application.
The web application, believing the request to be legitimate due to the presence of the user's credentials, executes the requested action. This could include anything from changing the user's password to transferring funds to the attacker's account.
CSRF attacks can be difficult to detect, as they appear to be legitimate requests. However, there are several mitigation techniques that can be used to prevent them, such as requiring additional confirmation from the user before executing certain actions or including anti-CSRF tokens in web forms.
To briefly explain the other answer options:
A. Injection: involves the insertion of malicious code into a web application's input fields, which can then be executed by the application's backend.
B. Missing function-level access control: occurs when a web application does not properly restrict access to certain functions or features, allowing unauthorized users to perform actions they should not be able to.
C. Cross-site scripting: involves the injection of malicious scripts into a web application's content, which can then be executed by other users who view that content.
