The attacker is not able to guess the token, is not able to convince your web browser to surrender it (if the browser works correctly.), and so the attacker will not be able to create a valid request, because requests with the wrong token (or no token) will be refused by Result: You keep your 10000 monetary units.It is different each time they serve any page to anybody. That token is a huge, impossible-to-guess random number that will include on their own web page when they serve it to you. Your bank cannot recognize this origin of the request: Your web browser will send the request along with your cookie and it will look perfectly legitimate.You retrieved that page, so your browser will make that request.If the owner of that site knows the form of the above request (easy!) and correctly guesses you are logged into (requires some luck!), they could include on their page a request like amount=10000 (where 123456 is the number of their Cayman Islands account and 10000 is an amount that you previously thought you were glad to possess).You visit not knowing that it is a malicious site.(Your account number is not needed, because it is implied by your login.)
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |