This is just a random thought that popped into my head, I never even thought of validating for this. Wondering if this is a legit threat I should be mitigating against.
Say I have a form on my site to perform administrative functions or even something as simple as just a forum to post stuff. You have to be logged in to use it and it's just a rather standard form, does some basic validation and escaping of data to prevent SQL injecting but other than that fairly basic.
Nothing stops a malicious site from POSTing data to that form via javascript or other method so if you are logged in and happen to go to the malicious site it will then POST data as you. Can that be done?
What is a typical way of preventing this sort of attack? What I'm thinking of doing is when a form is loaded it will generate a random ID, store it in a SQL table with other data to identify the form/user, and then have it in a hidden field. So when you submit the form it also validates that ID.
Is there a better way or am I on the right track?
Say I have a form on my site to perform administrative functions or even something as simple as just a forum to post stuff. You have to be logged in to use it and it's just a rather standard form, does some basic validation and escaping of data to prevent SQL injecting but other than that fairly basic.
Nothing stops a malicious site from POSTing data to that form via javascript or other method so if you are logged in and happen to go to the malicious site it will then POST data as you. Can that be done?
What is a typical way of preventing this sort of attack? What I'm thinking of doing is when a form is loaded it will generate a random ID, store it in a SQL table with other data to identify the form/user, and then have it in a hidden field. So when you submit the form it also validates that ID.
Is there a better way or am I on the right track?