cross-site request forgery (CSRF)

Charlie Yianni
#
min read
Back to glossary

What is CSRF?

Cross-Site Request Forgery (CSRF) is a type of web application vulnerability that allows attackers to trick users into performing actions they didn’t intend - such as changing their password or updating account settings - by taking advantage of their authenticated session in a vulnerable application.

Imagine you're logged into your banking app in one tab, and in another tab you visit a malicious website. If the banking app doesn’t properly protect against CSRF, that malicious site could quietly send a request that transfers money or changes your email address - without you even realizing it.

How does a CSRF attack work?

A CSRF attack typically begins with a user who is authenticated on a target website. The attacker tricks the user into clicking a link or loading an image from their own malicious site. Since the user is already authenticated, the browser includes cookies or session information with the request, allowing the malicious action to succeed without further verification.

For example, an attacker could send a link to a logged-in user that says http://example.com/change-email?email=hacker@example.com. If the site doesn’t verify that the request came from the legitimate user, the attacker could successfully hijack the user’s account.

CSRF is especially dangerous when it affects application functions that alter sensitive data or state, like updating user credentials, submitting forms, or making purchases.

Why CSRF is a serious threat

CSRF attacks can lead to:

  • Account hijacking
  • Exposure of sensitive data
  • Unauthorized state changes

If your application enables users to update settings, send messages, or manage data, CSRF should be on your radar.

How to prevent CSRF attacks

Any function that causes a change in application state should be protected using anti-CSRF mechanisms. The most common and effective method is to use a unique CSRF token per session or form submission.

How to detect CSRF vulnerabilities

Tools like Intruder’s vulnerability scanner detect missing CSRF protections by checking whether state-changing actions (like POST requests) are missing required anti-CSRF tokens.

Intruder highlights application features where protections are absent and may be vulnerable to forgery. It’s worth noting that token-based detection may miss other protection types (like custom header checks), but it's a strong indicator of weakness.

How Intruder helps

Intruder makes it simple to uncover CSRF vulnerabilities before attackers can exploit them by checking for missing CSRF protections.

Start your free 14-day trial to test your applications for CSRF.

Sign up for your free 14-day trial

Try for free
Charlie Yianni
Cyber Security Content Specialist

Sign up for your free 14-day trial

Try for free