Cross-Site Request Forgery (CSRF)

🔍 What is CSRF?

CSRF (Cross-Site Request Forgery) is a web vulnerability that tricks a user into unknowingly submitting a malicious request on a web application where they’re already authenticated. It exploits the trust that the application has in the user's browser, not the user’s trust in the site.

📌 Key Concepts

Authenticated Context: CSRF targets authenticated sessions — usually involving cookies, JWTs, or headers.
Involuntary Action: The victim performs an action they didn’t intend to, like changing a password or transferring funds.
Same-origin Policy (SOP): CSRF works within the SOP model since the forged request originates from a valid domain.
GET vs POST: While GET requests are easier to forge, POST requests are also vulnerable if CSRF protection is absent.

🚀 Attack Flow

User logs into a target website (e.g., bank.com)
Session is maintained via a cookie
User visits an attacker-controlled site
That site auto-submits a form to bank.com using the existing session
The action executes without the user's consent

💣 Real-World Example: CSRF in Password Change

If the following endpoint changes a password without CSRF protection:

POST /change-password HTTP/1.1
Host: vulnerable-site.com
Content-Type: application/x-www-form-urlencoded
Cookie: session=abc123

newPassword=hacked123

An attacker could craft a malicious HTML page:

<html>
  <body onload="document.forms[0].submit()">
    <form method="POST" action="https://vulnerable-site.com/change-password">
      <input type="hidden" name="newPassword" value="hacked123" />
    </form>
  </body>
</html>

If a logged-in user visits the attacker’s page, their password will be silently changed. No JavaScript from the attacker is required!

🕵️‍♀️ How to Detect CSRF

Check for state-changing requests (POST, PUT, DELETE) that lack anti-CSRF tokens
Test if actions can be performed via a third-party site
Manually forge requests using tools like Burp Suite
Verify if same-origin protections (e.g. Referer/Origin header checks) are enforced

🛡️ Prevention & Mitigation

CSRF Tokens: Use unpredictable, unique tokens per form/request
SameSite Cookies: Set cookies with SameSite=Lax or Strict
Double Submit Cookies: Send token in cookie and in form/header
Check Origin & Referer: Validate that requests originate from trusted domains
Authentication Headers: Avoid relying only on cookies; use custom auth headers

🛠️ Tools for Testing CSRF

Burp Suite (CSRF PoC generator)
OWASP CSRFGuard
Breacher (CSRF detection)
Browser DevTools for manual form reproduction

💡 Practical Tips

Focus on endpoints that modify data (change email, password, transaction)
If a POST request works without a CSRF token or origin validation — it's likely vulnerable
Remember: Read-only actions (like GET to /profile) are typically not CSRF-sensitive
Modern apps using JSON APIs may use JWT — test CSRF in header-authenticated flows too