Attacks & Threats
Cross-Site Request Forgery (CSRF)
Also known as: CSRF, Session riding
Definition
A web attack that forces an authenticated user's browser to send unwanted requests to a vulnerable site, causing state-changing actions without consent.
Cross-Site Request Forgery (CSRF) exploits the fact that browsers automatically attach cookies and other credentials to outgoing requests. A victim who is logged in to a target site is tricked into loading a malicious page that submits forms or makes API calls in the background, causing actions such as changing a password, transferring funds, or modifying account settings — all on behalf of the authenticated user. Defences include synchronizer tokens (anti-CSRF tokens), SameSite cookies (Lax or Strict), double-submit patterns, requiring re-authentication for sensitive actions, validating Origin/Referer headers, and using non-cookie credentials such as bearer tokens stored in memory.
Examples
- A logged-in user opens an attacker-controlled page that silently POSTs to /transfer to move money from their bank account.
- An admin clicks a link that submits a hidden form to /users/promote, granting the attacker administrative privileges.
Related terms
Cross-Site Scripting (XSS)
A web vulnerability that allows attackers to inject malicious scripts into pages viewed by other users, executing in the victim's browser under the site's origin.
SameSite Cookie
SameSite Cookie — definition coming soon.
Session Hijacking
An attack that takes over a victim's authenticated session by stealing or forging the session identifier so the attacker can act as the user without their credentials.
CORS (Cross-Origin Resource Sharing)
CORS (Cross-Origin Resource Sharing) — definition coming soon.
Session Management
Session Management — definition coming soon.
OWASP Top 10
OWASP Top 10 — definition coming soon.