The subject matter discussed in the background section should not be assumed to be prior art merely as a result of its mention in the background section. Similarly, a problem mentioned in the background section or associated with the subject matter of the background section should not be assumed to have been previously recognized in the prior art. The subject matter in the background section merely represents different approaches, which in and of themselves may also be inventions.
Web sites which are supported by web applications that base security on state changing operations can be vulnerable to cross-site request forgery. Login cross-site request forgery is a specific type of request forgery that tricks a web user to login to an attacker controlled account on a vulnerable web site. Most web applications have login mechanisms with no protection against login cross-site request forgery. An attacker can trick a user into logging in to an attacker controlled account when the user's web browser visits the attacker's web site, which has, for example, hyper-text markup language (HTML) code that instructs the user's web browser to make a cross-site login request to a vulnerable web site using the attacker's login parameters. If a vulnerable web site supports login over, for example, the hyper-text transfer protocol (HTTP) GET method, an attacker can trick a user into logging in to an attacker controlled account created for the vulnerable web site if the user's web browser selects an attacker-designed uniform resource locator (URL) which hides the attacker's login parameters from the user. In either case, the user may not realize that a session has been established with the vulnerable web site via an attacker controlled account, and may use the vulnerable web site as usual. If the vulnerable web site is a search engine, the attacker would have full access to the unsuspecting user's search queries, which may be of a sensitive nature, and any other activity tracked by the search engine, thereby violating the user's confidentiality expectations. If the vulnerable web site is a customer relationship management system, the attacker would have full access to the unsuspecting user's entry of data, such as lead or account information, thereby violating the user's confidentiality expectations.
Defending against a login cross-site request forgery is different from defending against a standard cross-site request forgery attack because this login attack does not require the targeted user to be already logged into the vulnerable web site. Since the user's access to the vulnerable web site is through the login feature, a web application for the vulnerable web site cannot send the user a token which can prevent the login attack because the user has not yet established any session with which the web application can associate the token. If the web application for the vulnerable web site provides a token to a user as a required parameter for logging in, an attacker could easily reuse the required parameter in the attacker's login parameters.