OSRF stands of On-site request forgery. It is much similar to CSRF (Cross site request forgery) but in OSRF the request is generated by the hacker on the vulnerable site that the victim is using and takes control of where the victim's response is to be sent.
CSRF and OSRF can be metaphorically compared with work from home and work from office concept. Here CSRF is work from office and OSRF is work from home. Although the work done is similar, the place where the work is being done differs.
Similarly, in CSRF and OSRF although the attack is to forge a request the place where the request is forged differs. In OSRF the request is forged on the victim's site by the victim and in CSRF the same is done by hacker on a form created by himself.
The attacker injects a malicious link or script into a page (e.g., a comment). When a logged-in user interacts with it, their browser unknowingly executes the attacker’s request using their credentials.
An admin clicks a malicious link in a user comment, causing their session data to be sent to the attacker.
Filter user input, use unpredictable CSRF tokens, validate them server-side, and enforce SameSite cookies with strict origin/referrer checks.
Content Sniffing
Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...
Content Sniffing
Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...
Content Sniffing
Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...
Content Sniffing
Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...
