Why do most examples of CSRF use roundabout ways of executing an API call instead of just using pure Javascript?

Çağlar Arlı - 51 Views

Why do most examples of CSRF use roundabout ways of executing an API call instead of just using pure Javascript?

When I see examples of CSRF attacks, it is almost always explained with someone entering some external API url in an <img> tag, e.g. <img src="bank.com/transfer?amount=10000?recipient=badguy">. Or it involves a form which when submitted executes a POST request to bank.com.

My question is why not just include the API call in a <script> tag? For example,

<html>
    ...
    <script>
        fetch("bank.com/transfer?amount=10000?recipient=badguy", method: "POST");
    </script>
</html>

Wouldn't this have the same effect, or perhaps even greater effect since the user wouldn't have to manually submit a form?

P	S	Ç	P	C	C	P
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30

Annanowa

Why do most examples of CSRF use roundabout ways of executing an API call instead of just using pure Javascript?

Why do most examples of CSRF use roundabout ways of executing an API call instead of just using pure Javascript?

Son Yazılar

Son Yorumlar