Java : Cross-site request forgery (CSRF)

Cross Site Request Forgery (CSRF) is possible.

Cross Site Request Forgery attacks take the eighth place in the “OWASP Top 10 2013” web application vulnerabilities ranking. CSRF is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

A possible attack scenario:

A victim visits the website created by attacker. Then the request is sent to another server (e.g. the server of the payment system) from victim’s face and carrying out some malicious action (e.g., transfer money to the account of the attacker). In order to implement this attack the victim should be authenticated on the server to send the request, and this request should not require any confirmation from the user that cannot be ignored or tampered with the attacking script.