Cross-Site Request Forgery (CSRF)
What is Cross-Site Request Forgery (CSRF)?
Cross-Site Request Forgery (CSRF)A web attack that forces an authenticated user's browser to send unwanted requests to a vulnerable site, causing state-changing actions without consent.
Cross-Site Request Forgery (CSRF) exploits the fact that browsers automatically attach cookies and other credentials to outgoing requests. A victim who is logged in to a target site is tricked into loading a malicious page that submits forms or makes API calls in the background, causing actions such as changing a password, transferring funds, or modifying account settings — all on behalf of the authenticated user. Defences include synchronizer tokens (anti-CSRF tokens), SameSite cookies (Lax or Strict), double-submit patterns, requiring re-authentication for sensitive actions, validating Origin/Referer headers, and using non-cookie credentials such as bearer tokens stored in memory.
● Examples
- 01
A logged-in user opens an attacker-controlled page that silently POSTs to /transfer to move money from their bank account.
- 02
An admin clicks a link that submits a hidden form to /users/promote, granting the attacker administrative privileges.
● Frequently asked questions
What is Cross-Site Request Forgery (CSRF)?
A web attack that forces an authenticated user's browser to send unwanted requests to a vulnerable site, causing state-changing actions without consent. It belongs to the Attacks & Threats category of cybersecurity.
What does Cross-Site Request Forgery (CSRF) mean?
A web attack that forces an authenticated user's browser to send unwanted requests to a vulnerable site, causing state-changing actions without consent.
How do you defend against Cross-Site Request Forgery (CSRF)?
Defences for Cross-Site Request Forgery (CSRF) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Cross-Site Request Forgery (CSRF)?
Common alternative names include: CSRF, Session riding.