For full text search please use the '?' prefix. e.g. ? Onboarding

CSRF-cross-site-request-forgery

Attackers fools an application to allow him to perform sensitive operations, on behalf of legitimate user.

#llm.claude-sonnet-4

CSRF (Cross-Site Request Forgery)

CSRF is a web security vulnerability where an attacker tricks a user's browser into making unwanted requests to a web application where the user is authenticated.

How it works

  1. User logs into a legitimate website (e.g., their bank)
  2. User visits a malicious website while still logged in
  3. The malicious site contains hidden forms or scripts that make requests to the legitimate site
  4. The browser automatically includes the user's authentication cookies with these requests
  5. The legitimate site processes the request as if the user intended it

Example Attack

<!-- Hidden form on malicious site -->
<form action="https://bank.com/transfer" method="POST">
  <input type="hidden" name="amount" value="1000">
  <input type="hidden" name="to_account" value="attacker_account">
</form>
<script>document.forms[0].submit();</script>

Prevention Methods

  • CSRF Tokens: Include unique, unpredictable tokens in forms
  • SameSite Cookies: Restrict when cookies are sent with cross-site requests
  • Origin/Referer Headers: Validate the request source
  • Custom Headers: Require specific headers for state-changing operations

Impact

CSRF can lead to unauthorized actions like money transfers, password changes, or data modifications performed on behalf of authenticated users without their knowledge.