Cross-Site Request Forgery (CSRF) exploits the fact that browsers automatically include cookies and other session credentials when making requests to a site. If an application solely relies on these credentials to authorise sensitive actions, then an attacker may be able to cause a victim’s browser to submit a forged request without them realising.
A classic example is a hidden form on a malicious page that auto-submits to a target application when the victim visits it whilst already logged in. If the target application accepts the request, because the victim’s session cookie is present, any actions such as changing an email address, adding a payee, or updating account settings may succeed even though the victim never intended to action them.
CSRF is not about stealing the session itself, it is about abusing an existing authenticated session to perform unauthorised state-changing actions. Effective defences include anti-CSRF tokens tied to the user’s session, SameSite cookie settings, re-authentication for high-risk actions, and checking the origin or referer of requests where appropriate.
There are multiple methods of implementing anti-CSRF tokens, but the core principle is that the token must be unique to the user’s session and included in requests that perform sensitive actions. The server can then verify that the token is present and valid before processing the request. This prevents attackers from being able to forge requests because they would not have access to the correct token.
In consumer applications, CSRF can enable account takeover or fraudulent transactions. In administrative interfaces, it can allow changes to users, permissions, billing settings, or security controls. As these requests come from a genuine authenticated browser, the activity can initially look legitimate in logs.
CSRF remains an important review area in web application penetration testing , particularly where cookie-based authentication is used. It also intersects with session hijacking and XSS-related risks, although the attack mechanics are different.