I keep seeing code samples which place anti-forgery tokens on standard username/password login pages. Even the Asp.Net web project template does it.
Why? The only system state that is changed is the user's login status, and in order to even make that happen the attacker would need their username and password which would mean everything is already maximally compromised.
I just don't see the attack vector here. Am I missing something?
Aucun commentaire:
Enregistrer un commentaire