Cross-Site Request Forgery (CSRF)
Quick Definition
An attack that tricks authenticated users into submitting unwanted requests to a web application in which they're currently authenticated.
What is Cross-Site Request Forgery?
Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to perform actions they didn't intend to. When a user is logged into a web application, their browser automatically includes session cookies with every request to that domain. CSRF exploits this trust by tricking the user's browser into making requests to the target application.
A successful CSRF attack can:
- Change account email addresses or passwords
- Transfer funds (in banking applications)
- Make purchases
- Change user settings
- Post content on behalf of the user
CSRF attacks are prevented by:
- Using CSRF tokens (unique per-session or per-request tokens)
- Checking the Referer header
- Using SameSite cookie attribute
- Requiring re-authentication for sensitive actions
Examples
An attacker hosts a page with a hidden form that auto-submits:
<form action="https://bank.com/transfer" method="POST"> <input type="hidden" name="amount" value="10000"> <input type="hidden" name="to" value="attacker"> </form> <script>document.forms[0].submit();</script>If a logged-in bank user visits this page, their browser will make the transfer using their authenticated session.