Question

Cross-site request forgery ( CSRF) is a client-side technique used to attack other users of a web application. Using CSRF, attackers can send HTTP requests that pretend to come from the victim, carrying out unwanted actions on a victim’s behalf. For example, an attacker could change your password or transfer money from your bank account without your permission.

跨站请求伪造（CSRF）是一种客户端技术，用于攻击 Web 应用程序的其他用户。利用 CSRF，攻击者可以发送 HTTP 请求，假装来自受害者，在受害者的名义下执行不必要的操作。例如，攻击者可以在未经您许可的情况下更改您的密码或从您的银行账户转移资金。

CSRF attacks specifically target state-changing requests, like sending tweets and modifying user settings, instead of requests that reveal sensitive user info. This is because attackers won’t be able to read the response to the forged requests sent during a CSRF attack. Let’s get into how this attack works.

CSRF 攻击专门针对状态更改请求，如发送推文和修改用户设置，而不是泄露敏感用户信息的请求。这是因为攻击者将无法读取 CSRF 攻击期间发送的伪造请求的响应。让我们深入了解这种攻击如何运作。