- Force an authorized user to send forged HTTP requests (utilize victim session data)
- victim must be logged in.
- These requests are considered as legitimate by vulnerable server-side application.
Accepting un-validated inputs, storing it in the database, presenting it to the user upon request and when logged in user accesses it the exploitation occurs.
- Unique token in hidden field (this causes value to be sent in the message body and not in the URL of request)
- Require user to re-authenticate before making a sensitive/important request.
- implement Captcha
- mobile SMS/OTP verification.