Skip to main content

CSRF - Cross-Site Request Forgery Explained

About 2 min read

CSRF (Cross-Site Request Forgery) is an attack in which an attacker makes a user send an unintended, malicious request to a web service the user is already authenticated with. Because it abuses the credentials (cookies) of the service the user is logged into, the request is processed as if the user had performed the action themselves. Alongside XSS, it is one of the most representative web application attacks. As of 2025, major frameworks (Django, Rails, Next.js) include CSRF protection by default, yet implementation gaps in API endpoints and SPAs continue to be reported.

Real-World Use Cases

"During a vulnerability assessment, we found that the shipping-address change API of an e-commerce site had no CSRF protection implemented. If an attacker prepared a trap page, they could change a logged-in user's shipping address to any address they wanted."

The Flow of a CSRF Attack

User logs in to a legitimate site
Views the attacker's trap page
Malicious request sent with cookies
Legitimate site executes the action

The Mechanism of a CSRF Attack

The attacker prepares a trap web page and embeds in it a request to a service the user is logged into. For example, if a user views the attacker's page while still logged in to a bank site, the browser automatically sends a money-transfer request to the bank site. Because the browser sends cookies automatically, the bank site cannot distinguish the request from one made by a legitimate user. web security books on Amazon will help you learn the details of the attack.

Real-World Damage Scenarios

There are cases where, while logged in to an e-commerce site, clicking a link planted by an attacker changes the shipping address to the attacker's address. There have also been reports of damage where viewing a trap page while logged in to a social network results in unintended posts or follows. When combined with session hijacking, the damage becomes even more serious. In online banking, CSRF protection for money-transfer operations is especially important.

Defense Techniques

On the developer side, the standard measure is to embed a CSRF token (a random, unique value) in forms and verify it when the request is made. Setting the SameSite cookie attribute can restrict cross-site cookie transmission. On the user side, the basics are to develop the habit of logging out after important operations and to avoid clicking suspicious links. Protecting your account with a strong random password and enabling multi-factor authentication can mitigate the damage should the worst happen. secure web development guides (Amazon) are also helpful references.

Related Terms

Was this article helpful?

XHatena