CSRF (Cross Site Request Forgery)
A CSRF attack forces a logged-on victim’s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim. The following tests are based on an application for fund transfer. The authenticated and authorized user is provided with an interface where he can transfer funds from o ne account to another account. This test can be similarly applied to similar applications with functions identified as critical in the application context such as above, publishing application content thru a CMS, or change password etc. The attack is possible in the following scenario (Tested). 1. The user has opened his mail from the browser window where he already opened his Fund Transfer application in a separate tab as shown in the snapshot above. This is seen in IE 7.0. 2. In case of IE 6, the user needs to create another instance of the browser by selecting File-> New->Window. 3. In case the application is opened in one browser window and only on...