#### Cross Site Request Forgery(CSRF)
- Takes advantage of cookies that  are passed along with requests.
- Example of bad form with use of social engineering to get someone to submit user info into bad form.

![Imgur](https://i.imgur.com/VhaHVOK.png)

#### Challenge 1: CSRF
![Imgur](https://i.imgur.com/MdRJQ0H.png)

#### Challenge 1: Solution
- Building simple landing page with image tag.
- This specifies where to transfer accounts and how much. If logged in, can grab account numbers if inspect the options.
- Either one of these attacks could be embedded in a page.
- Never mutate data on get requests.
    ##### Attack #1
![Imgur](https://i.imgur.com/6XGl2As.png)
- This could be a link that someone clicks and don't even know funds were transfered cause its too late already.
![Imgur](https://i.imgur.com/UUA5rzD.png)

     ##### Attack #2
  - This time we will use a form and build it to match the data. Transfering from account 1 to account 2 when form is submitted.
  - Couldn't get this one to work????????
![Imgur](https://i.imgur.com/0gCngCa.png)

#### CSRF Protection
- Vulnerable if server looks at cookie or basic authentication requests that are sent along with a request in order to authenticate or authorize a user.
- Authenticate is prove who you are. Authorize is you are authorized for this or these are privalages you have.
- Execption is client-side cookie, example if you pluck something out of a cookie that then needs to be placed in request header cause in order to read that cookie, you need to be running code on a domain that is running that cookie. If using cookie as storage mechanism only,  and server isn't looking at that cookie as means of auth then CSRF doesn't work.
- CSRF can work if write code on one site that makes a request to another site and although can't read the cookies can take advantage of the cookies being sent along for the ride.
- Local storage / Session storage only accessable on client side. Session storage is destroyed when user closes the browser. Local storage can live much longer. Neither are passed along with requests like cookies are.
![Imgur](https://i.imgur.com/y7lmvtm.png)

    ##### Defenses
    - Create a CSRF token. These are generated in a unpredictable way with each page load. Example, server generates numbers but have to meet a certain condition like divisable by 5, 57,... and they are disposable so can only use them once and token not valid anymore. Want to have an iterative algorithm. Could be a salt combined with a timestamp or something to ensure tokens don't get reused.
![Imgur](https://i.imgur.com/4E3LYd4.png)

      ##### Request Origin
      - Validate request origins.
      - Example if you use heroku, you are always behind squid proxy and always have x-forwarded host available so you know where its coming from.
      ![Imgur](https://i.imgur.com/QCBlmWT.png)
      
      ##### CORS
      - This is what allows you to submit requests from one domain to another.
      - Always set cors headers properly.
      - Usually have an options pre-flight request that is sent to endpoint server seeing what options it will take. This all happens in the browser that your application doesn't see.
      ![Imgur](https://i.imgur.com/8kgbfXK.png)
      
#### Challenge: Defend against CSRF
https://github.com/expressjs/csurf
- Will add a token when render a form and when comes into server will verify token.
- Csurf does token verification and generation and acts as middleware as request handler.
![Imgur](https://i.imgur.com/hujDoIr.png)

    ##### Challenge: Solution
    - Import csurf library in routes/transfers 
    - Setup up route middleware ```const csrfProtection = csrf({ cookie: true })```
    - Into into both routes 
    ![Imgur](https://i.imgur.com/0ruWDNO.png)
    ![Imgur](https://i.imgur.com/Pu6WJSr.png)
    - Add csrf token on server render in transfers.js. This will be read in from client form submission.
    ![Imgur](https://i.imgur.com/5UfrNAx.png)
    - In the template in views/transfers.ejs add the hidden input under form tag. This will pass the csrf token on form submisson to be verified by server.
    - ![Imgur](https://i.imgur.com/ayAR7xd.png) 
    - Now inspect the form and should be a token being generated. If refresh will see a new unpredictable value everytime.
    ![Imgur](https://i.imgur.com/O6ZlR3S.png)
    - Can test that server will reject invalid crf token on form submission by deleting chunk on form token on client side and try submitting form.
    - Try running jsbin code again and will get same responses. 
    - In a SPA can send csrf token is to serve with initial page and everytime send a request send a request that mutates data, the csrf token will be in response header and take and store in memory.
    ![Imgur](https://i.imgur.com/yIMg0v5.png)