💡 Introduction
Cross-Site Request Forgery (CSRF) tricks an authenticated user into unknowingly performing actions on a web app — like changing their password or transferring funds — without their consent.
It’s quiet, deceptive, and can be devastating.
🧠 What Is CSRF?
If a user is already logged in, and a malicious website sends a request to the target app, the browser includes session cookies automatically.
The server thinks it’s legit — but it’s actually an attack.
Real-life example:
A logged-in user visits:
<img src="http://bank.com/transfer?amount=1000&to=attacker" />If no CSRF protection is in place, the bank transfers the money 😱
🎯 What Actions Can Be Exploited?
Change email or password
Add/modify users
Transfer money
Delete accounts
Purchase products
🧪 Testing for CSRF
Step 1: Find a vulnerable endpoint
Look for POST or GET requests that perform state-changing actions — like:
/change-password
/delete-user
/update-profileStep 2: Craft a fake HTML form
<form action="http://target.com/update-email" method="POST">
<input type="hidden" name="email" value="attacker@evil.com" />
<input type="submit" value="Click me" />
</form>When the victim clicks the button, their browser sends the request with their session.
🧪 Lab Test with DVWA
Use DVWA → CSRF module
Log in as the victim
Open the attacker page with this:
<img src="http://localhost/vulnerable/change-pass.php?pass=1234&confirm=1234">You’ve just silently changed the victim’s password.
🔐 How to Prevent CSRF
From the defender’s side:
✅ Use:
Anti-CSRF Tokens: Random values added to every form/request
SameSite Cookies: Prevents cookie transmission across origins
Double Submit Cookie Pattern
Re-authentication for critical actions
Confirm dialogs / CAPTCHA before sensitive changes
🚫 Don’t rely on:
Referrer headers alone
Security through obscurity (e.g., long URLs)
🔍 How CSRF Tokens Work
A token is generated for each user:
<input type="hidden" name="csrf_token" value="somerandomtoken">The server checks that the token matches the session.
If not → Request denied.
Tools like Burp Suite and OWASP ZAP can detect missing or broken CSRF protection.
🧩 Advanced Note: CSRF + XSS
If a site has both XSS and CSRF, attackers can:
Steal the CSRF token via XSS
Bypass CSRF protection
Fully automate account takeovers
🔚 Wrapping Up
You now understand:
What CSRF is and how it works
How to test and exploit it
How to build defenses against it
This silent attack has compromised banking apps, email platforms, and even admin panels.
👉 Next up:
Part 10 – Insecure Deserialization: Remote Code Execution via Serialized Data
We’ll explore how apps that trust serialized data can be manipulated to execute attacker-controlled code.
1 thought on “Cross-Site Request Forgery (CSRF) – Hijacking Sessions Silently”