Cross-Site Request Forgery (CSRF) is an attack that forces an authenticated user's browser to send a forged request to a web application where the user is currently logged in. Because the browser automatically includes session cookies with every request to the target domain, the application cannot distinguish between legitimate requests initiated by the user and forged requests initiated by the attacker's site.
How It Works
The attack relies on the fact that browsers automatically attach cookies to requests matching the cookie's domain, regardless of where the request originates. An attacker crafts a malicious page containing a form or image tag that targets a sensitive endpoint on the vulnerable application. When an authenticated user visits the attacker's page, their browser sends the forged request along with their session cookie, and the application processes it as a legitimate action.
For example, an attacker could create a hidden form that submits a request to change the victim's email address on a banking application. If the victim visits the attacker's page while logged into the bank, their browser submits the email change request with valid session cookies. The banking application receives what appears to be an authenticated request and processes the change.
The primary defense against CSRF is anti-CSRF tokens: unique, unpredictable values generated by the server and embedded in forms. The server validates the token on submission and rejects requests without a valid token. Since the attacker cannot read the token from the target domain (due to the same-origin policy), they cannot forge a valid request. The SameSite cookie attribute provides additional protection by preventing the browser from sending cookies with cross-site requests, effectively blocking most CSRF attacks at the browser level.
Why It Matters
CSRF allows attackers to perform any action the victim can perform: changing passwords, transferring funds, modifying account settings, or making purchases. Security assessments check every state-changing endpoint for CSRF protections, verifying that tokens are present, properly validated, and not reusable. Applications that rely solely on cookies for authentication without CSRF defenses leave every authenticated action vulnerable to exploitation.
Need your application tested? Get in touch.