Cross-Site Request Forgery (CSRF)

CSRF exploits trust that a website has in the user's browser and existing authentication.

How CSRF works

1. Victim is authenticated to vulnerable site (has session cookie).
2. Attacker tricks victim into visiting malicious page.
3. Malicious page makes request to vulnerable site.
4. Browser automatically includes session cookie.
5. Vulnerable site processes request as legitimate user action.

Attack examples

• Transfer money from victim's bank account.
• Change account email or password.
• Post content or comments as victim.
• Delete user data or resources.
• Add/remove admin users.

Attack vectors

• Malicious websites with hidden forms.
• Image tags with action URLs: <img src="bank.com/transfer?to=attacker&amount=1000">
• Iframe embedding vulnerable endpoints.
• Malicious browser extensions.
• XSS combined with CSRF.

Prevention

• CSRF tokens: Random, unique per-session tokens in forms.
• SameSite cookies: Prevent cookie sending on cross-site requests.
  • SameSite=Strict: No cross-site cookies (most secure).
  • SameSite=Lax: Allow safe methods (GET) only.
  • SameSite=None: Requires Secure flag (HTTPS only).
• Origin/Referer validation: Check request source headers.
• Custom request headers: Require X-Requested-With or similar.
• Double submit cookies: Compare cookie value with form value.
• Re-authentication: Require password for sensitive actions.

Testing

• Remove CSRF token and submit form.
• Change token to invalid value.
• Use token from different session.
• Test cross-origin requests with different SameSite values.

Impact

• Unauthorized state changes.
• Account takeover.
• Financial loss.
• Data modification or deletion.
• Reputation damage.