Which web security attack causes a logged-in user's browser to send…

2024

Which web security attack causes a logged-in user's browser to send unauthorized requests to a trusted web application without the user's intentional consent?

  1. A.

    Phishing

  2. B.

    SQL Injection

  3. C.

    CSRF (Cross-Site Request Forgery)

  4. D.

    Spoofing

  5. E.

    Session Hijacking

Attempted by 45 students.

Show answer & explanation

Correct answer: C

Correct answer: CSRF (Cross-Site Request Forgery).

CSRF is a web security attack that forces an already logged-in (authenticated) user's browser to send unauthorized, state-changing requests to a trusted web application without the user's intentional consent. The browser automatically attaches the user's session cookies to every request, so when the victim is tricked into loading a malicious page or link, the forged request rides on the victim's valid session and the trusted application treats it as legitimate.

Because the application trusts the session (not the action's origin), the attacker can make the victim perform actions such as transferring funds, changing the email/password, or updating account settings — all without the user knowingly approving them. Standard defences are anti-CSRF tokens, the SameSite cookie attribute, and verifying the Origin/Referer header.

Why not the others: Phishing tricks the user into voluntarily revealing credentials; SQL Injection manipulates back-end database queries through malicious input; Spoofing falsifies an identity or address (IP/email/DNS); Session Hijacking steals or takes over an existing session token. Only CSRF abuses the browser's automatic transmission of the victim's credentials to make the victim's own browser issue the unwanted request.

Explore the full course: Up Police Computer Operator