CSRF (Cross-Site Request Forgery)
Attack Explained: Complete Attack Flow with Examples
Cross-Site Request Forgery (CSRF) is a dangerous web security vulnerability where an attacker tricks a victim’s browser into performing unintended actions on a trusted website where the victim is already authenticated.
The most critical aspect of CSRF is that the attack abuses a valid user session. The website believes the request is legitimate because it contains valid session cookies.
What Is CSRF (Cross-Site Request Forgery)?
CSRF is a web application attack in which a malicious website causes a victim’s browser to send an unauthorized request to a legitimate website where the victim is already logged in.
Because browsers automatically include cookies with every request, the server cannot easily distinguish between a real user action and a forged request.
Why CSRF Attacks Are Dangerous
- Attacks happen without user awareness
- Valid session cookies are abused
- No malware is required on the victim’s device
- Can lead to financial loss and account takeover
CSRF Attack Flow (Based on the Image)
The image shows a clear three-stage CSRF attack flow:
- Legitimate website with authenticated user
- Malicious website controlled by attacker
- Forged request executed without user consent
Step 1: Legitimate Website (Authenticated User)
The victim logs into a trusted website such as an online bank.
- User enters correct credentials
- Server creates a valid session
- Session cookie is stored in the browser
Example session cookie:
session_id=12345
At this point, the user is authenticated and trusted by the server.
Step 2: Victim Visits Malicious Website (Attacker’s Site)
While still logged in, the victim visits a malicious website. This can happen via:
- Phishing email
- Malicious advertisement
- Compromised website
The attacker’s site contains a hidden forged request.
Example Attacker Setup
<img src="http://bank.com/transfer?to=attacker&amount=1000"
width="0" height="0">
This request is invisible to the user and does not require clicking a button.
Step 3: Forged Request Is Sent Automatically
When the malicious page loads:
- The browser automatically sends the request
- The valid session cookie is attached
- The request looks legitimate to the server
Important: The user never approves this action.
Action Executed Without User Consent
Because the request contains a valid session cookie:
- The server accepts the request
- The action is executed
Examples of CSRF impact:
- Unauthorized fund transfer
- Password change
- Email address modification
- Account setting changes
Result: Unauthorized action performed on behalf of the user.
Real-World CSRF Example
A user is logged into their bank account. They visit a malicious website that silently executes a request.
Transfer Complete: $1000 sent to attacker
The bank believes the request is legitimate because it includes a valid session.
Why CSRF Works (Key Reason)
- Browsers automatically send cookies
- Server trusts authenticated sessions
- No verification of request origin
CSRF exploits trust in the browser.
CSRF vs XSS (Important Difference)
| Feature | CSRF | XSS |
|---|---|---|
| Attack Type | Forces unwanted actions | Executes malicious scripts |
| Uses Session Cookie | Yes | Yes |
| Runs JavaScript | No (not required) | Yes |
| Victim Interaction | Hidden | Visible/Script-based |
How to Prevent CSRF Attacks
1️⃣ CSRF Tokens (Most Effective)
- Unique, unpredictable token per request
- Verified by the server
2️⃣ SameSite Cookie Attribute
- SameSite=Strict or Lax
- Prevents cookies in cross-site requests
3️⃣ Check Origin / Referer Headers
- Ensure requests come from trusted domain
4️⃣ Use Proper HTTP Methods
- Avoid sensitive actions via GET
- Use POST with validation
CSRF in OWASP Top 10
CSRF has been a long-standing vulnerability in the OWASP Top 10 Web Application Risks.
Modern frameworks include built-in CSRF protection, but misconfiguration still leads to exploitation.
Interview Questions on CSRF (Very Important)
- What is CSRF?
- How does CSRF work?
- Why are cookies critical in CSRF attacks?
- Difference between CSRF and XSS?
- How can CSRF be prevented?
Final Conclusion
CSRF attacks exploit the trust a website places in an authenticated user. By understanding the CSRF attack flow and implementing proper defenses such as CSRF tokens and SameSite cookies, developers and security professionals can protect users from unauthorized actions.
Protect trust, verify every request 🚀
