Cross-Site Request Forgery (CSRF)

Security+ 🏆 • Web Security 🕸️ • Vulnerabilities 🚨 • Difficulty: free

Definition

CSRF is an attack that tricks a signed-in user’s browser into sending unwanted, authenticated requests to a website, causing actions like changing settings or transferring money without the user’s intent.

Examples

While logged in to a banking site, a user visits a malicious page that auto-submits a hidden form to /transfer using the user’s cookie—moving funds to the attacker.
A forum uses GET to perform state changes. An attacker embeds an <img src="https://forum.example.com/moderate?delete=123"> which deletes a post when a moderator views it.

Discover 🔎

Web browsers automatically attach cookies to requests for a site the user is signed in to. CSRF exploits that convenience (ambient authority): a malicious site causes the victim’s browser to send a request to the target site, which arrives with valid cookies and looks legitimate. If the target doesn’t insist on a fresh proof of intent, it may execute the action.

Remember: CSRF is about tricking the user’s browser to act on their behalf—no need to steal the cookie or read the response.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.