Top 10 2010-A5-Cross-Site Request Forgery (CSRF)

The application allows a user to submit a state changing request that does not include anything secret. Like so:
 *  http://example.com/app/transferFunds?amount=1500& destinationAccount=4673243243

So, the attacker constructs a request that will transfer money from the victim’s account to their account, and then embeds this attack in an image request or iframe stored on various sites under the attacker’s control.
 * TODO: &lt;img src=" http://example.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#“width="0" height="0" /&gt;  

If the victim visits any of these sites while already authenticated to example.com, any forged requests will include the user’s session info, inadvertently authorizing the request.


 * OWASP CSRF Article
 * OWASP CSRF Prevention Cheat Sheet
 * OWASP CSRFGuard - CSRF Defense Tool
 * ESAPI Project Home Page
 * ESAPI HTTPUtilities Class with AntiCSRF Tokens
 * OWASP Testing Guide: Chapter on CSRF Testing
 * OWASP CSRFTester - CSRF Testing Tool


 * CWE Entry 352 on CSRF