Cross-Site Request Forgery (CSRF)

CSRF is a web vulnerability where an attacker causes a victim’s browser to send an unwanted authenticated request to a trusted application.

Category Session Abuse

Common impact Unauthorized state change

Common surface Cookie-authenticated endpoints

Risk model Browser trust boundary

What is this vulnerability?

Cross-Site Request Forgery happens when a trusted application accepts a state-changing request from the victim’s browser without confirming that the user intentionally initiated it. The browser automatically includes cookies, so the request may be processed as authenticated.

How it works

The attacker hosts a page that silently submits a request to a vulnerable application. If the victim is already logged in, the browser may attach the victim’s session cookies, causing the application to perform the action under the victim’s identity.

Minimal vulnerable example

This simplified example shows how a cookie-authenticated endpoint can be abused when it accepts sensitive state changes without an anti-CSRF token.

Waiting to run demo…

1. Victim is logged in

2. Attacker page submits hidden form

3. Browser attaches cookies

4. Server accepts request

5. Unwanted action succeeds

Potential impact

Unauthorized account changes, such as email, password, or profile updates.

Unwanted financial or workflow actions when sensitive operations lack confirmation.

Administrative state changes when admin panels rely only on cookies for trust.

Business logic abuse where the attacker cannot read responses but can trigger actions.

Mitigation

Use anti-CSRF tokens bound to the user session and validate them server-side.

Set cookies with SameSite=Lax or SameSite=Strict where possible.

Validate Origin and Referer headers for sensitive requests.

Require explicit confirmation or re-authentication for high-risk actions.

Need private analysis for your codebase? Request exploitability review and application risk mapping from FikreSekhel Research.