I am learning to design a system where it can be guarded against XSS & CSRF attack.
I'll quickly list down my understanding and then raise questions.
It's a simple case of fraud that I am trying to avoid.
Steps mentioned below are executed by hacker:
- Broadcast e-mail to a lot of people holding account with any specific bank on gmail yahoo etc.
- Once mail is received, script in background is executed from the email on-load , it checks if bank website is open in any of the tabs. If not, try after regular interval.
- Hacker is aware that in the post request, only his account number needs to be updated and money would be transferred to his account
- Common logic is written in front-end code which adds the headers and cookies on ever request sent to server.
Question:
Is the above attack possible?
Answers: (From my understanding)
If hacker knows the payload required for fund transfer, hacker would simply hook onto mouse movement event and being aware about the url and payload would fire the request for fund transfer.
Cookies and other header details would be passed along as front-end team for simplicity have written logic to add these fields with every http request.
Please corrent me if I am wrong.
Please highlight if any of the steps undertaken by hacker(1-4) are not practically possible