Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) is an attack that forces an authenticated user to execute unwanted actions on a web application. CSRF attacks target state-changing requests — not data theft — since the attacker cannot see the response to the forged request.
CSRF exploits the browser's automatic inclusion of credentials (cookies, HTTP auth) with every request to a domain. If a user is logged into a banking site and visits a malicious page, that page can submit a hidden form to the banking site — and the browser will attach the user's session cookie automatically. The impact ranges from changing email addresses and passwords to transferring funds and modifying account settings.
While SameSite cookie attributes and CSRF tokens have significantly reduced the attack surface, bypasses continue to emerge. Common techniques include exploiting misconfigured SameSite policies, token fixation, subdomain takeover to bypass origin checks, and leveraging CORS misconfigurations. JSON-based CSRF using Flash or content-type tricks has historically been a rich area for bypasses, and new browser behaviors regularly shift what's exploitable.
CSRF is often combined with other vulnerabilities — an XSS bug can extract CSRF tokens, and open redirects can be used to leak tokens through the Referer header.
This page collects CSRF research, bypass techniques, defense mechanisms, and real-world writeups demonstrating exploitation in modern applications.
From OWASP
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-04-22 2026 | CVE-2025-12821: WordPress NewsBlogger CSRF Allowing RCE news | Writeup of CVE-2025-12821, a Cross-Site Request Forgery (CSRF) vulnerability in the NewsBlogger WordPress theme (versions 0.2.5.6 through 0.2.6.1), allowing arbitrary file upload and remote code execution. This critical flaw, a regression of CVE-2025-1305, arises from missing nonce validation in the `newsblogger_install_and_activate_plugin()` function, enabling unauthenticated attackers to compromise sites by tricking administrators into clicking malicious links. → sentinelone.com |
| 2026-04-22 2026 | Manipulating User Email: A CSRF PoC From TCM Academy intermediate | Manipulating User Email: A CSRF PoC From TCM Academy |
| 2026-04-22 2026 | Bypassing CSRF Token Validation Techniques intermediate | Bypassing CSRF Token Validation Techniques |
| 2026-04-22 2026 | CVE-2026-40925: CSRF in WWBN AVideo Configuration Endpoint news | Writeup of CVE-2026-40925 detailing a Cross-Site Request Forgery (CSRF) vulnerability in WWBN AVideo versions 29.0 and prior. The configuration update endpoint fails to implement proper CSRF protections, allowing an attacker to overwrite critical site settings like SMTP credentials and encoder URLs via a malicious POST request from an administrator's browser, facilitated by the platform's `session.cookie_samesite=None` setting. A fix is noted in commit f9492f5e6123dff0292d5bb3164fde7665dc36b4. → radar.offseq.com |
| 2026-04-22 2026 | Internet Bug Bounty: Argo CD CSRF leads to Kubernetes cluster compromise news | Program: Internet Bug Bounty Severity: high Weakness: Cross-Site Request Forgery (CSRF) GHSA: https://github.com/argoproj/argo-cd/security/advisories/GHSA-92mw-q256-5vwg It's been publicly known for... → hackerone.com |
| 2026-04-19 2026 | CVE-2025-9611: Microsoft Playwright MCP Server CSRF Flaw news | CVE-2025-9611 describes a DNS rebinding vulnerability in Microsoft Playwright MCP Server versions prior to 0.0.40, allowing attackers to exploit browser interactions to invoke tool endpoints without proper authentication by bypassing same-origin protections. The vulnerability, rooted in the lack of Origin header validation, can lead to unauthorized commands and system manipulation. Mitigation involves upgrading to version 0.0.40+, configuring `allowedHosts`, and implementing workarounds such as restricting binding to localhost or using a reverse proxy with origin validation. → sentinelone.com |
| 2026-04-19 2026 | CVE-2025-23797: WP Options Editor CSRF Vulnerability news | Writeup of CVE-2025-23797, a Cross-Site Request Forgery vulnerability affecting the WP Options Editor WordPress plugin. This flaw, present in versions up to 1.1, allows unauthenticated attackers to trick administrators into clicking malicious links, leading to privilege escalation by modifying critical WordPress options like `default_role` and user capabilities without proper nonce verification. Mitigation requires immediate deactivation and removal of the plugin, auditing options, and verifying administrator accounts. → sentinelone.com |
| 2026-04-19 2026 | AVideo CSRF — CVE-2025-3100 (Critical) news | Writeup of AVideo CSRF — CVE-2025-3100 details a critical cross-site request forgery vulnerability in AVideo Platform's `emailAllUsers.json.php` endpoint. This allows attackers to trigger mass email phishing campaigns by tricking an authenticated administrator into visiting a malicious page. The exploit leverages the absence of CSRF token validation and AVideo's `SameSite=None` cookie configuration to send arbitrary HTML content as emails to all registered users via the platform's SMTP server, bypassing standard protections. → dailycve.com |
| 2026-04-19 2026 | Authlib (Python) CSRF (Cache-Backed OAuth State) — CVE-2025-68158 news | Library for Python applications, Authlib (versions prior to 1.6.6) suffers from CVE-2025-68158, a medium-severity CSRF vulnerability. The flaw allows attackers to hijack OAuth flows by exploiting a weak binding between the cache-backed state parameter and user sessions. This enables account takeover by tricking victims into clicking malicious links, leading to their accounts being linked to an attacker's external identity, potentially resulting in data compromise and financial loss. → dailycve.com |
| 2026-04-19 2026 | Web Security Academy: CSRF SameSite Lax Bypass via Method Override intermediate | Web Security Academy: CSRF SameSite Lax Bypass via Method Override |
| 2026-04-16 2026 | Top CSRF HackerOne Reports intermediate | Library of HackerOne reports detailing Cross-Site Request Forgery (CSRF) vulnerabilities, including account takeovers on Rockstar Games and TikTok, CSRF token leakage on Shopify, and bypasses against GitHub Enterprise and Argo CD. The collection highlights issues such as improper CSRF token validation, chained exploits leading to stored XSS, and vulnerabilities in OAuth flows and API endpoints. It also features reports on CSRF in payment provider connections, Slack integrations, and WordPress. |
| 2026-04-16 2026 | Modern CSRF Mitigation in Single Page Applications intermediate | Modern CSRF Mitigation in Single Page Applications |
| 2026-04-16 2026 | CSRF in the Age of JSON intermediate | Writeup on CSRF in the age of JSON, detailing how Cross-Site Request Forgery attacks persist against applications using JSON for data transfer. It covers challenges introduced by the `application/json` MIME type and Same-Origin Policy, exploring exploitation techniques such as manipulating content types to `text/plain` and leveraging weak CORS policies with `Access-Control-Allow-Origin` and `Access-Control-Allow-Credentials` headers. The writeup assumes an authorization model based on cookies and predictable request schemas, providing concrete examples of vulnerable requests and proof-of-concept exploits. |
| 2026-04-16 2026 | Top 25 CSRF Bug Bounty Reports intermediate | Top 25 CSRF Bug Bounty Reports → corneacristian.medium.com |
| 2026-04-16 2026 | The Bug Bounty Guide to Exploiting CSRF Vulnerabilities - YesWeHack beginner | Guide to exploiting Cross-Site Request Forgery (CSRF) vulnerabilities, detailing POST-based, GET-based, and stored CSRF attacks. It explains how attackers leverage a user's authenticated session to trick their browser into executing unauthorized actions, such as changing account settings or transferring funds. The guide illustrates real-world scenarios and payloads, including HTML forms for POST requests and image tags for GET requests, to demonstrate the mechanisms and impact of these vulnerabilities, emphasizing the exploitation of trust between browser and site without proper anti-CSRF protections. → yeswehack.com |
| 2026-04-16 2026 | CSRF: Advanced Exploitation Guide - Intigriti advanced | Guide to advanced CSRF exploitation techniques, detailing how to identify and exploit vulnerabilities by understanding conditions like the `SameSite` cookie policy and the absence of unpredictable tokens. It covers bypassing Content-Type and method-based restrictions, as well as exploiting weaknesses in anti-CSRF token validation and Referer header checks. → intigriti.com |
| 2026-04-10 2026 | Web Application Security: Anti-CSRF & Cookie SameSite Options beginner | Guide to implementing anti-CSRF tokens and Cookie SameSite options, detailing how CSRF attacks leverage GET and POST requests and exploit HTML forms with JavaScript. It explains the mechanics of hidden input fields and form submission, then introduces secret, randomly generated tokens as a primary defense, to be verified by the server upon form submission. |
| 2026-04-10 2026 | CSRF Protection - Clerk Docs beginner | Guide to CSRF protection detailing Cross-Site Request Forgery attacks and how to mitigate them using the `SameSite` cookie attribute. It explains the `Strict`, `Lax`, and `None` values for `SameSite` and highlights that Clerk configures session cookies with `Lax`, the modern browser default, to prevent CSRF without degrading user experience. The guide emphasizes that navigation alone should not trigger backend mutations to avoid XSS vulnerabilities. |
| 2026-04-10 2026 | Preventing CSRF with the SameSite Cookie Attribute intermediate | Reference detailing the SameSite cookie attribute for preventing Cross-Site Request Forgery (CSRF) attacks. It explains how cookies function and how browsers send them with third-party requests, enabling CSRF. The attribute, with 'Strict' and 'Lax' values, instructs browsers to control cookie transmission, mitigating attacks like those exploiting POST requests to sensitive endpoints. The entry also notes Netsparker's implementation of checks for this attribute. → invicti.com |
| 2026-04-10 2026 | CSRF Attacks: Bypassing SameSite Cookies intermediate | Guide to bypassing SameSite cookies in CSRF attacks, detailing methods like exploiting Lax policy GET requests, using 307/308 redirects, and leveraging subdomain takeovers. It covers testing methodologies and mitigation techniques for developers, including SameSite=Strict and CSRF tokens. |
| 2026-04-10 2026 | Advanced CSRF: How to Bypass SameSite Cookie Protections advanced | Library detailing bypass techniques for SameSite cookie protections, which default to Lax in Chrome. It explains the distinction between Site and Origin, the three SameSite restriction levels (Strict, Lax, None), and demonstrates how misconfigured servers can be exploited. The article outlines methods to bypass Lax restrictions using GET requests, even when POST is expected, and circumvent Strict protections through third-party redirect gadgets, particularly client-side JavaScript. |
| 2026-04-10 2026 | CSRF & Bypasses - Cobalt intermediate | Library exploring Cross-Site Request Forgery (CSRF) vulnerabilities, detailing attack flows, exploitation techniques against applications without defenses, and various bypass methods. It covers bypassing CSRF token validations by changing request methods or removing tokens, and other bypasses including Referer header manipulation, content type checks, session fixation, SameSite cookie attribute exploitation, and Laravel-specific token manipulation. → cobalt.io |
| 2026-04-10 2026 | Cross-site request forgery - Wikipedia beginner | Library detailing Cross-Site Request Forgery (CSRF) attacks, also known as one-click attacks. It explains how attackers exploit trust in a user's browser to submit unauthorized commands, impacting sites like Netflix, ING Direct, YouTube, and McAfee. The entry highlights the use of specially crafted image tags, hidden forms, JavaScript, and CVE-2008-6586 in μTorrent, emphasizing how cookies and GET requests facilitate these exploits. |
| 2026-04-10 2026 | CSRF - OWASP Foundation beginner | Reference to Cross-Site Request Forgery (CSRF), an attack forcing authenticated users to execute unwanted actions. It details how attackers can trick victims via social engineering to perform state-changing requests, potentially compromising entire web applications or stealing private data through methods like login CSRF. The document highlights flawed prevention techniques and illustrates attack scenarios, including GET and POST request exploits, and mentions frameworks with built-in CSRF support and tools like OWASP CSRF Guard. → owasp.org |
| 2026-04-10 2026 | CSRF: Cross Site Request Forgery Example - Imperva beginner | Library for detecting and preventing Cross-Site Request Forgery (CSRF) attacks, detailing how these attacks trick users into performing unwanted actions via forged requests embedded in links or forms. The resource highlights common CSRF attack vectors, using a bank transfer example, and discusses mitigation techniques such as unique session tokens, double cookie submission, and custom rules like those found in Imperva's IncapRules engine, which can filter requests based on HTTP referrer headers to counter social engineering. → imperva.com |
| 2026-04-10 2026 | CWE-352: Cross-Site Request Forgery beginner | CWE-352: Cross-Site Request Forgery |
| 2026-04-10 2026 | What Is CSRF? - Palo Alto Networks beginner | Reference defining CSRF (CWE-352), a web application attack exploiting session-based authentication to trick authenticated users into submitting unintended requests. Attackers leverage the browser's automatic inclusion of session cookies to perform unauthorized actions on behalf of the user without their knowledge or consent, such as changing settings or initiating transactions. This technique plays a supporting role in MITRE ATT&CK techniques like T1530. → paloaltonetworks.com |
| 2026-04-10 2026 | What is CSRF? Attacks, Mitigation, Prevention - Acunetix beginner | Reference on Cross-Site Request Forgery (CSRF), detailing its mechanism of tricking authenticated users into performing unintended actions, often via social engineering or malicious links. It highlights how CSRF leverages session cookies to bypass authentication, affecting state changes in web applications. The entry explains CSRF execution through both GET and POST requests, providing examples using HTML tags and JavaScript. It also touches upon prevention mechanisms like referer headers and custom X-Requested-With headers. → acunetix.com |
| 2026-04-10 2026 | CSRF Attacks - Rapid7 beginner | Reference defining Cross-Site Request Forgery (CSRF) attacks, detailing how they exploit user trust and authenticated sessions to perform unauthorized actions, such as money transfers or account alterations. It covers attack mechanisms, including social engineering and stored CSRF via XSS like the Samy MySpace worm, and highlights impacts on services like Gmail and Facebook. Prevention strategies emphasize enabling CSRF protection, utilizing CSRF tokens, and conducting regular web application security testing and penetration testing to mitigate risks. → rapid7.com |
| 2026-04-06 2026 | Cookies: HTTP State Management Mechanism (RFC 6265bis) beginner | Reference document defining HTTP Cookie and Set-Cookie header fields. It details how servers store state at user agents for session management, superseding RFC 6265. The specification clarifies cookie scope, attributes like "Secure", and addresses historical security and privacy flaws, recommending a well-behaved profile for servers and liberal processing for user agents to maximize interoperability. |
| 2026-04-06 2026 | CVE-2026-34394: Wwbn Avideo CSRF Vulnerability news | Analysis of CVE-2026-34394 reveals a critical Cross-Site Request Forgery (CSRF) vulnerability in WWBN AVideo. The admin plugin configuration endpoint, admin/save.json.php, fails to validate CSRF tokens and bypasses table security checks. This, combined with a SameSite=None cookie policy, allows attackers to overwrite arbitrary plugin settings by crafting forged cross-origin POST requests, potentially compromising payment processors, authentication providers, and cloud storage credentials. Mitigation involves restricting administrative access, implementing WAF rules, and advising administrators on secure browsing habits. → sentinelone.com |
| 2026-04-06 2026 | Cross-site request forgery (CSRF) - Security - MDN Web Docs beginner | Reference detailing Cross-Site Request Forgery (CSRF) attacks, where attackers trick browsers into executing unwanted actions on legitimate sites by exploiting session cookies. It outlines attack vectors using forms and image tags, and explores defenses including CSRF tokens, Fetch metadata headers (specifically `Sec-Fetch-Site`), making requests non-simple by setting `Content-Type` to `application/json` or custom headers, and the `SameSite` cookie attribute for defense in depth. Modern frameworks like Django offer built-in CSRF token protection. |
| 2026-04-03 2026 | CSRF Exploitation Techniques — Flaws, Bypasses & SameSite Cookie Mechanics intermediate | CSRF Exploitation Techniques — Flaws, Bypasses & SameSite Cookie Mechanics |
| 2026-04-03 2026 | Lab: SameSite Lax Bypass via Cookie Refresh | PortSwigger intermediate | Lab demonstrating a CSRF attack to bypass SameSite cookie restrictions. This lab involves changing a victim's email address by exploiting a vulnerable account change function. The technique focuses on a SameSite Lax bypass via cookie refresh, requiring an attacker to circumvent browser popup blockers and induce user interaction to trigger the necessary OAuth flow and subsequent email modification. → portswigger.net |
| 2026-04-03 2026 | Lab: SameSite Lax Bypass via Method Override | PortSwigger intermediate | Lab: SameSite Lax bypass via method override details a Cross-Site Request Forgery (CSRF) vulnerability within the "change email" function. The lab demonstrates how to bypass SameSite cookie restrictions, specifically the Lax default, by crafting a GET request that overrides the intended POST method using the `_method` parameter. The solution involves using an exploit server to trigger a top-level navigation that sends the malicious request, ultimately changing the victim's email address. → portswigger.net |
| 2026-04-03 2026 | Advanced Techniques to Bypass CSRF Defenses advanced | Advanced Techniques to Bypass CSRF Defenses |
| 2026-04-03 2026 | Cross-Site Request Forgery (CSRF) Attack Guide | Hackviser beginner | Guide to Cross-Site Request Forgery (CSRF) attacks, detailing its mechanics through examples like manipulated image tags and auto-submitting forms. It outlines manual testing techniques for CSRF token validation, HTTP methods, content types, and referrer headers. The guide also covers automated discovery using tools such as Burp Suite extensions (CSRF Scanner, CSurfer, Auto CSRF), XSRFProbe, and custom Python scripts, along with specific attack vectors including GET-based, POST-based, and JSON CSRF. |
| 2026-04-03 2026 | CSRF (Cross Site Request Forgery) | HackTricks beginner | Reference detailing Cross-Site Request Forgery (CSRF) vulnerabilities, explaining how attackers exploit authenticated sessions to perform actions on behalf of users. It covers exploitation conditions, countermeasures like SameSite cookies, CORS, user verification, referrer checks, and CSRF tokens. The resource also highlights common anti-patterns, such as bypassing CSRF protections on non-POST verbs through method overrides and inadequate token validation tied to global pools. → book.hacktricks.xyz |
| 2026-04-03 2026 | Bypassing SameSite Cookie Restrictions - CSRF | PortSwigger intermediate | Library for understanding and bypassing SameSite cookie restrictions. This resource details how SameSite's `Strict`, `Lax`, and `None` attributes function, including Chrome's default `Lax` behavior. It explains how to exploit misconfigurations and bypasses, particularly for CSRF attacks, by leveraging GET requests or scenarios where `SameSite=None` with the `Secure` attribute is used. → portswigger.net |
| 2026-04-03 2026 | CSRF & Bypasses | Cobalt intermediate | Library detailing Cross-Site Request Forgery (CSRF) vulnerabilities and bypass techniques. It covers how CSRF attacks exploit authenticated users to perform unwanted actions, including exploitation via GET requests, IMG tags, and POST requests. Specific bypass methods discussed include altering request methods, removing CSRF token parameters, manipulating referrer headers, content type checks, and exploiting SameSite cookie attributes through client-side redirects. The resource also touches on bypassing CSRF protection in frameworks like Laravel and utilizing session fixation. → cobalt.io |
| 2026-04-03 2026 | Cross-Site Request Forgery Prevention Cheat Sheet | OWASP beginner | Library: OWASP Cross-Site Request Forgery Prevention Cheat Sheet. This resource details Cross-Site Request Forgery (CSRF) attacks, where attackers trick users' browsers into performing unwanted actions on trusted sites. It recommends defenses including framework-built-in protection, synchronizer tokens for stateful applications, and double submit cookies for stateless applications. Techniques like Fetch Metadata headers, SameSite cookie attributes, and user interaction-based protection are also discussed, alongside the crucial understanding that Cross-Site Scripting (XSS) can undermine CSRF mitigations. → cheatsheetseries.owasp.org |
| 2025-09-25 2025 | Side-by-Side Comparison of SSRF vs. CSRF | Attaxion beginner SSRF | Library detailing Server-Side Request Forgery (SSRF) and Cross-Site Request Forgery (CSRF) attacks, highlighting SSRF's CWE-918 classification and its role in incidents like the Capital One breach and Microsoft Exchange attacks (CVE-2021-26855). It contrasts SSRF's server-targeting nature with CSRF's browser-based exploitation of authenticated users, explaining attack mechanisms and detection methods using tools like OWASP ZAP. |
| 2025-08-14 2025 | devanshbatham/Vulnerabilities-Unmasked beginner IDOR XSS | Library providing simplified explanations and analogies for common web vulnerabilities, including Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL Injection, ClickJacking, Subdomain Takeover, Privilege Escalation, Role-Based Access Control (RBAC) Vulnerabilities, Server-Side Request Forgery (SSRF), Vulnerable and Outdated Components, Local File Inclusion (LFI), Denial of Service (DOS), Authentication Bypass, Insecure Direct Object Reference (IDOR), 2FA Bypass, and Race Condition Vulnerability. |
| 2025-08-14 2025 | In Praise of CSRF Tokens – Tim MalcomVetter – Medium beginner | The content titled "In Praise of CSRF Tokens" by Tim MalcomVetter on Medium likely discusses the importance and benefits of Cross-Site Request Forgery (CSRF) tokens in web security. CSRF tokens are used to prevent unauthorized actions on websites by verifying the origin of requests. The article may highlight how CSRF tokens enhance security measures and protect against malicious attacks. It likely emphasizes the significance of implementing CSRF tokens to safeguard user data and maintain the integrity of web applications. |
| 2025-08-14 2025 | Facebook GraphQL CSRF – These aren't the access_tokens you're looking for intermediate GraphQL | The content seems to highlight a potential security issue related to Facebook's GraphQL service, specifically concerning Cross-Site Request Forgery (CSRF) attacks. It suggests that access tokens may not be the main target for such attacks. This implies that there may be vulnerabilities in the handling of GraphQL requests that could be exploited by malicious actors. It serves as a cautionary note for users and developers to be aware of potential CSRF risks when using Facebook's GraphQL service. |
| 2025-08-14 2025 | https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f beginner | The content discusses Cross-Site Request Forgery (CSRF) attacks and the importance of implementing secure practices to prevent them. It highlights the risks associated with CSRF attacks, such as unauthorized actions on behalf of users. The author emphasizes the significance of using anti-CSRF tokens and secure coding practices to mitigate these risks. By incorporating these measures, websites can enhance their security and protect users from CSRF vulnerabilities. |
| 2025-08-14 2025 | https://www.purehacking.com/blog/andre-onofre-lima/bypassing-csrf-tokens-with-pythons-cgihttpserver intermediate | Writeup detailing how to bypass CSRF tokens using Python's `cgihttpserver`. This technique leverages the server's behavior to potentially submit requests without valid tokens, offering a practical approach to testing CSRF defenses. The article, while not directly a library, demonstrates a specific vulnerability exploitation method relevant to application security professionals. |
| 2025-08-14 2025 | web application - Should login and logout action have CSRF protection? - In beginner | Analysis of CSRF protection for web application login and logout actions, detailing how attackers can exploit login CSRF to redirect victims to attacker-controlled accounts, enabling credential hijacking and content manipulation. It also highlights the risks of logout CSRF, particularly when combined with phishing attacks or other vulnerabilities like self XSS, to facilitate account takeovers and persistent remote JavaScript execution, referencing scenarios like the LostPass exploit and WAF bypass techniques. |
| 2025-08-14 2025 | https://mixmax.com/blog/modern-csrf beginner | Library for layering CSRF protection atop traditional CORS policies, named `cors-gate`. This Node module utilizes an Origin-based approach, complementing CORS by checking the `Origin` and `Referer` headers to prevent unauthorized cross-site requests. It addresses limitations of CORS alone, which can fail to block certain requests, and offers a modern solution for mitigating CSRF vulnerabilities. The library requires modern browser functionality and does not support older browsers. |
| 2025-08-14 2025 | https://scotthelme.co.uk/csrf-is-dead/ beginner | Reference detailing Cross-Site Request Forgery (CSRF) vulnerabilities and their solution via Same-Site Cookies. The article explains CSRF attacks, traditionally mitigated by checking Origin/Referer headers or employing Anti-CSRF tokens, and highlights the simplicity and effectiveness of Same-Site Cookies. It describes `Strict` and `Lax` modes for Same-Site Cookies, offering robust protection against CSRF by instructing browsers not to send cookies on cross-origin requests, with `Lax` allowing exceptions for top-level navigations using safe HTTP methods like GET. |
| 2025-08-14 2025 | oauth 2.0 - How does CSRF work without state parameter in OAuth2.0? - Stack intermediate | Reference on CSRF vulnerabilities in OAuth 2.0, detailing an attack flow where an attacker intercepts a callback URL and tricks a logged-in user into visiting it. This exploit allows the attacker to gain unauthorized access to the victim's account on the service provider by exchanging the resulting authorization code for an access token. The discussion specifically questions the role of the state parameter in preventing such Cross-Site Request Forgery attacks within the OAuth 2.0 framework. → stackoverflow.com |
| 2025-08-14 2025 | WordPress Front End Security: CSRF and Nonces | CSS-Tricks beginner | Library of WordPress functions for preventing Cross-Site Request Forgery (CSRF) attacks, including `wp_nonce_field`, `wp_verify_nonce`, `wp_nonce_url`, `wp_create_nonce`, and `check_ajax_referer`. These tools generate and validate unique, one-time use tokens (nonces) to ensure user actions, such as form submissions or URL clicks, are legitimate and not maliciously forged by attackers, protecting against vulnerabilities like those found in the WP SEO plugin. |
| 2025-08-14 2025 | ruby - Sinatra CSRF Authenticity tokens - Stack Overflow beginner | Library demonstrating CSRF authenticity tokens in the Sinatra web framework. This resource addresses how to implement CSRF protection, specifically noting Sinatra's use of Rack Protection. It provides guidance on generating or utilizing these tokens to secure user input forms within Sinatra applications. → stackoverflow.com |
| 2025-08-14 2025 | Avoiding CSRF Attacks with API Design intermediate | Reference on avoiding CSRF attacks through API design, emphasizing never using GET to modify state and implementing CSRF tokens. It details how malicious websites can exploit GET requests and basic POST forms, and suggests using CSRF tokens as a hidden field or header. The article also touches on stateless "double submit cookies" and considerations for non-browser API clients, mentioning the `csurf` library for Express. |
| 2025-08-14 2025 | Samesite by Default and What It Means for Bug Bounty Hunters intermediate Bug Bounty XSS | Reference on SameSite by Default impacting bug bounty hunting, detailing its effects on Clickjacking, Cross-Site Script Inclusion (XSSI), JSONP leaks, Data Exfiltration, XSLeaks, CORS misconfigurations, Cross-Site WebSocket Hijacking, and XSS. The shift to SameSite=Lax for cookies by default in Chrome 80 alters cross-origin request authentication, impacting vulnerabilities beyond traditional CSRF. |
| 2025-08-14 2025 | Bypass SameSite Cookies Default to Lax and get CSRF intermediate | The content highlights a security vulnerability where bypassing SameSite cookies set to the default "Lax" mode can lead to Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows malicious actors to exploit the lax SameSite cookie setting to perform unauthorized actions on behalf of a user. It emphasizes the importance of properly configuring SameSite cookie settings to prevent CSRF attacks and ensure the security of web applications. |
| 2025-08-14 2025 | https://medium.com/@shub66452/account-takeover-using-csrf-json-based-a0e6efd1bffc intermediate | The article discusses a security vulnerability known as Cross-Site Request Forgery (CSRF) that can lead to an account takeover when combined with JSON-based attacks. It explains how CSRF works, the impact it can have on user accounts, and how attackers can exploit it to gain unauthorized access. The author provides a detailed explanation of the attack scenario and suggests preventive measures to protect against CSRF and JSON-based attacks. Overall, the article highlights the importance of understanding and mitigating these security risks to safeguard user accounts and sensitive data. |
| 2025-08-14 2025 | https://portswigger.net/web-security/csrf beginner | Reference on Cross-Site Request Forgery (CSRF) detailing what it is, common vulnerabilities, and how to prevent it. The resource explains how attackers exploit cookie-based session handling and lack of unpredictable request parameters to make users perform unintended actions like changing email addresses or transferring funds. It also covers constructing and delivering CSRF attacks using tools like Burp Suite Professional and discusses common defenses such as CSRF tokens, SameSite cookies, and Referer-based validation. → portswigger.net |
| 2022-03-17 2022 | Favorite tweet by @manicode news | Favorite tweet: Oldie but a good one. Old school #CSRF against @netflix https://t.co/kSVU9VP65D — Jim Manico (@manicode) Mar 17, 2022 |
| 2022-01-08 2022 | Cross-Site Request Forgery (CSRF) | Complete Guide beginner | Cross-Site Request Forgery (CSRF) | Complete Guide |
| 2022-01-05 2022 | 0xInfection/XSRFProbe intermediate | Toolkit for auditing and exploiting Cross-Site Request Forgery (CSRF/XSRF) vulnerabilities. XSRFProbe features a robust crawling engine and performs systematic checks to detect CSRF flaws and bypasses. It supports custom cookie values, generic headers, and accurate token-strength detection. The toolkit can generate both normal and maliciously exploitable proof-of-concept examples for identified vulnerabilities, offering detailed logging and a user-controlled workflow. |
| 2020-02-14 2020 | Samesite by Default and What It Means for Bug Bounty Hunters intermediate Bug Bounty XSS | Library that details the impact of Chrome's `SameSite=Lax` default on web vulnerabilities, including Clickjacking, Cross-Site Script Inclusion (XSSI), JSONP Leaks, Data Exfiltration, XSLeaks, CORS misconfigurations, Cross-Site WebSocket Hijacking, and XSS when exploit chains involve cross-origin responses. The change affects authenticated cross-origin requests by dropping cookies, potentially breaking established attack vectors previously relied upon by bug bounty hunters. |
| 2020-01-19 2020 | Facebook GraphQL CSRF – These aren't the access_tokens you're looking for intermediate GraphQL | A CSRF-style query on business.instagram.com allowed unauthorized GraphQL calls. A bug was found in the "View the Assigned Roles and Emails of an Instagram Account" feature. The issue was discovered during authorization on business.instagram.com/login. Users without an Instagram Business account encountered an error page. This vulnerability highlights a potential security risk in Facebook's GraphQL system. |
| 2019-03-13 2019 | Brute Forcing User IDS via CSRF To Delete all Users with CSRF attack. intermediate | The content discusses testing an application with a "Delete User" module allowing admins to delete any user. The focus is on brute-forcing user IDs via CSRF (Cross-Site Request Forgery) to delete all users using a CSRF attack. This highlights a potential security vulnerability where an attacker could exploit CSRF to delete multiple users without authorization. |
| 2019-02-10 2019 | WordPress Front End Security: CSRF and Nonces | CSS-Tricks intermediate | Library for WordPress developers detailing Cross-Site Request Forgery (CSRF) prevention using nonces. It explains how CSRF attacks exploit user trust to perform unintended actions, citing a vulnerability in the WP SEO plugin. The library demonstrates implementing WordPress's nonce functions like `wp_nonce_field`, `wp_verify_nonce`, `wp_nonce_url`, `wp_create_nonce`, and `check_ajax_referer` to validate user intent and protect against forged requests. |
| 2018-06-26 2018 | Self-XSS + CSRF to Stored XSS intermediate XSS | Renwa from Kurdistan is excited to share their first write-up on information security and bug bounties. |
| 2018-04-30 2018 | Steal CSRF/Auth/Unique key Header with XSS intermediate XSS | The content is incomplete and lacks specific information to provide a concise summary. |
| 2018-04-06 2018 | A Deep Dive into CSRF Protection in Rails – Ruby Inside – Medium intermediate | The content discusses CSRF protection in Rails, with updates reflecting code changes in Rails 6 as of June 2019. CSRF protection is crucial for securing web applications against malicious attacks. The article likely delves into the mechanisms and best practices for implementing CSRF protection in Ruby on Rails applications, emphasizing the importance of staying updated with the latest changes to ensure robust security measures. |
| 2018-01-02 2018 | 0ang3el/EasyCSRF beginner | Library for identifying weak CSRF protection in web applications, particularly effective against API endpoints and GraphQL. EasyCSRF modifies HTTP requests to bypass common protections like content type checks and token parameters, allowing researchers to manually analyze failed versus successful actions in Burp Suite's proxy history. It supports various parameter and header name configurations, request whitelisting, and conversion between data formats. |
| 2017-02-22 2017 | Cross-Site Request Forgery is dead! intermediate | Library for implementing Same-Site Cookies to mitigate Cross-Site Request Forgery (CSRF) attacks. This simple attribute, when added to cookies, instructs browsers to prevent them from being sent with cross-origin requests, effectively neutralizing CSRF vulnerabilities without complex server-side logic. Options include Strict mode for absolute protection, preventing cookies on all cross-origin requests, and Lax mode, which allows cookies on top-level navigations using safe HTTP methods like GET. |
Frequently Asked Questions
- What is CSRF and how does it work?
- Cross-Site Request Forgery forces an authenticated user's browser to send an unwanted request to a web application. It exploits the browser's automatic inclusion of cookies with every request to a domain. If a user is logged into Site A and visits a malicious page, that page can submit hidden forms or trigger requests to Site A using the user's session.
- How do SameSite cookies prevent CSRF?
- The SameSite cookie attribute restricts when cookies are sent with cross-origin requests. SameSite=Strict blocks cookies on all cross-site requests. SameSite=Lax (the modern default) allows cookies only for top-level GET navigations, blocking them for POST forms and subresource requests from other origins.
- Is CSRF still relevant with modern frameworks?
- CSRF is less common but not eliminated. SameSite=Lax defaults and framework-level CSRF tokens have reduced the attack surface significantly. However, misconfigurations, subdomain takeover, and APIs that rely on cookie authentication without CSRF tokens remain exploitable. JSON-based CSRF and cross-origin attacks through CORS misconfigurations are active areas of research.
Weekly AppSec Digest
Get new resources delivered every Monday.