CSRF stands for Cross-site request forgery. It is a technique hackers use to hack into a web application.
- Assume you are currently logged into your online banking at
www.mybank.com - Assume a money transfer from
mybank.comwill result in a request of (conceptually) the formhttp://www.mybank.com/transfer?to=<SomeAccountnumber>;amount=<SomeAmount>. (Your account number is not needed, because it is implied by your login.) - You visit
www.cute-cat-pictures.org, not knowing that it is a malicious site. - If the owner of that site knows the form of the above request (easy!) and correctly guesses you are logged into
mybank.com(requires some luck!), they could include on their page a request likehttp://www.mybank.com/transfer?to=123456;amount=10000(where123456is the number of their Cayman Islands account and10000is an amount that you previously thought you were glad to possess). - You retrieved that `ww