CSRF (Cross-Site Request Forgery)
CSRF makes a logged-in user's browser issue authenticated requests the user did not intend.
Definition
Cross-Site Request Forgery (CSRF) is a vulnerability that lets an attacker cause an authenticated user's browser to send a request to a target application without the user's knowledge. Because the browser automatically attaches the user's session cookie to any request to the target's origin, the target application sees an authenticated request from a real user — and processes it as such.
CSRF is the inverse of XSS: XSS runs attacker script on the user's origin; CSRF runs attacker-chosen requests from the user's origin. Modern browsers' SameSite cookie defaults (Lax since Chrome 80) blunt most low-effort CSRF, but applications with permissive cookies, custom auth headers, or unusual flow patterns still have exploitable corners.
How it works
The attacker hosts a page on an unrelated origin that issues a request to the target — typically via a hidden form auto-submitted with JavaScript, an `<img>` tag for GET-based state changes, or `fetch()` with `mode: 'no-cors'` for fire-and-forget POSTs. The victim visits the attacker's page while logged in to the target site. The browser sends the request with the victim's session cookie attached. The target processes it as a legitimate user action.
State-changing GET requests are the most common CSRF surface (no preflight, no Origin check). POSTs with `application/x-www-form-urlencoded` bodies are next — they're "simple" CORS requests and don't trigger a preflight either.
Impact
Account takeover (CSRF on a password-change endpoint), fund transfer, configuration change, privilege escalation. The blast radius is bounded by what the target application lets the victim do; on admin consoles, that is everything.
Mitigation
Use SameSite=Lax (or Strict) for session cookies. Add the double-submit cookie pattern or a synchronizer-token (CSRF token) on every state-changing request. Verify the `Origin` header for cross-origin requests on non-GET endpoints. For pure JSON APIs, require a custom header (`X-CSRF-Token` or `Authorization: Bearer`) — the browser refuses to add custom headers to a cross-origin request without a CORS preflight, so this implicitly defends. The OWASP CSRF Prevention Cheat Sheet covers each pattern.
Examples
- CVE-2018-8788 — Pulse Connect Secure CSRF leading to admin compromise.