appsec.fyi

A somewhat curated list of links to various topics in application security.

Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

From OWASP

ItemDate AddedLinkExcerpt
12025-08-14 04:26:37 UTCIn Praise of CSRF Tokens – Tim MalcomVetter – MediumThe content titled "In Praise of CSRF Tokens" by Tim MalcomVetter on Medium likely discusses the importance and benefits of Cross-Site Request Forgery (CSRF) tokens in web security. CSRF tokens are used to prevent unauthorized actions on websites by verifying the origin of requests. The article may highlight how CSRF tokens enhance security measures and protect against malicious attacks. It likely emphasizes the significance of implementing CSRF tokens to safeguard user data and maintain the integrity of web applications.
22025-08-14 04:26:29 UTChttps://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83fThe content discusses Cross-Site Request Forgery (CSRF) attacks and the importance of implementing secure practices to prevent them. It highlights the risks associated with CSRF attacks, such as unauthorized actions on behalf of users. The author emphasizes the significance of using anti-CSRF tokens and secure coding practices to mitigate these risks. By incorporating these measures, websites can enhance their security and protect users from CSRF vulnerabilities.
32025-08-14 04:26:25 UTChttps://www.purehacking.com/blog/andre-onofre-lima/bypassing-csrf-tokens-with-pythons-cgihttpserverThe content discusses bypassing CSRF tokens using Python's CGIHTTPServer. It explains how to exploit a vulnerability in web applications by using Python scripts to bypass CSRF protection mechanisms. The method involves setting up a local server to receive and process malicious requests, allowing attackers to manipulate user sessions. By understanding this technique, developers can strengthen their defenses against CSRF attacks.
42025-08-14 04:26:21 UTCweb application - Should login and logout action have CSRF protection? - InThe content discusses whether login and logout actions in a web application should have Cross-Site Request Forgery (CSRF) protection. CSRF protection is important for login actions to prevent unauthorized access by malicious websites. However, it may not be necessary for logout actions as they typically do not involve sensitive data. Implementing CSRF protection for both actions can enhance security, but the level of protection needed should be based on the specific risks and requirements of the web application.
52025-08-14 04:26:19 UTChttps://mixmax.com/blog/modern-csrfThe content discusses modern Cross-Site Request Forgery (CSRF) attacks and how they can be prevented. It highlights the importance of protecting against CSRF vulnerabilities by implementing secure coding practices and utilizing tools like SameSite cookies and CSRF tokens. The article emphasizes the significance of understanding the evolving nature of CSRF attacks and staying updated on best practices to safeguard web applications. It provides insights into the impact of CSRF attacks on user data security and suggests proactive measures to mitigate these risks effectively.
62025-08-14 04:26:17 UTChttps://scotthelme.co.uk/csrf-is-dead/The content discusses the CSRF (Cross-Site Request Forgery) vulnerability and its decreasing relevance due to modern web security practices. It highlights the importance of SameSite cookies, Content Security Policy (CSP), and other security measures in mitigating CSRF attacks. The author emphasizes the need for developers to adopt these security measures to protect against CSRF vulnerabilities effectively. Overall, the article suggests that with the implementation of proper security measures, CSRF attacks are becoming less prevalent and less effective in compromising web applications.
72025-08-14 04:26:15 UTCoauth 2.0 - How does CSRF work without state parameter in OAuth2.0? - StackThe content discusses the concept of Cross-Site Request Forgery (CSRF) in OAuth 2.0 and how it operates without the state parameter. CSRF attacks can occur when a malicious website tricks a user's browser into making unauthorized requests to a different site where the user is authenticated. The absence of the state parameter in OAuth 2.0 can make it vulnerable to CSRF attacks, potentially compromising user security. It is important to implement proper security measures to prevent CSRF attacks in OAuth 2.0 implementations.
82025-08-14 04:26:13 UTCPaypal bug bounty: Updating the Paypal.me profile picture without consent (The content likely discusses a bug bounty program related to Paypal.me, focusing on a specific issue where a profile picture can be updated without the user's consent. This type of vulnerability could potentially lead to privacy concerns and unauthorized changes to user profiles. It highlights the importance of identifying and fixing such bugs to ensure the security and privacy of users on the platform.
92025-08-14 04:26:11 UTCWordPress Front End Security: CSRF and Nonces | CSS-TricksThe content titled "WordPress Front End Security: CSRF and Nonces" on CSS-Tricks likely discusses security measures related to Cross-Site Request Forgery (CSRF) and Nonces in WordPress websites. CSRF protection helps prevent unauthorized actions, while Nonces are security tokens used to verify the origin of requests. The article may delve into how these security features are implemented in WordPress to safeguard against malicious attacks on the front end of websites.
102025-08-14 04:26:09 UTCruby - Sinatra CSRF Authenticity tokens - Stack OverflowThe content is about using CSRF (Cross-Site Request Forgery) authenticity tokens in a Ruby web application built with Sinatra. This security measure helps prevent unauthorized actions by verifying the origin of requests. The discussion likely involves implementing CSRF protection in Sinatra applications to enhance security and protect against malicious attacks. The content seems to be a question or discussion thread related to this topic on the Stack Overflow platform.
112025-08-14 04:26:02 UTCBypass SameSite Cookies Default to Lax and get CSRFThe content highlights a security vulnerability where bypassing SameSite cookies set to the default "Lax" mode can lead to Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows malicious actors to exploit the lax SameSite cookie setting to perform unauthorized actions on behalf of a user. It emphasizes the importance of properly configuring SameSite cookie settings to prevent CSRF attacks and ensure the security of web applications.
122025-08-14 04:26:00 UTChttps://link.medium.com/fsUnTVniS0I'm sorry, but I am unable to access external content such as the Medium link you provided. If you could provide a brief overview or key points from the content, I would be happy to help summarize it for you in 100 words or less.
132025-08-14 04:25:58 UTChttps://link.medium.com/eRtuh4nQVZI'm unable to access external content to provide a summary. If you could provide the main points or key ideas from the content, I'd be happy to help summarize it for you.
142025-08-14 04:25:56 UTChttps://link.medium.com/FPn7EsRFvZI'm unable to access external content. If you provide me with the key points or a brief summary of the content, I'd be happy to help summarize it for you.
152025-08-14 04:25:54 UTChttps://link.medium.com/d496ONHsdZI'm sorry, but I am unable to access external content such as the Medium link provided. If you can provide a brief overview or key points from the content, I'd be happy to help summarize it for you within 100 words or less.
162025-08-14 04:25:52 UTChttps://medium.com/@shub66452/account-takeover-using-csrf-json-based-a0e6efd1bffcThe article discusses a security vulnerability known as Cross-Site Request Forgery (CSRF) that can lead to an account takeover when combined with JSON-based attacks. It explains how CSRF works, the impact it can have on user accounts, and how attackers can exploit it to gain unauthorized access. The author provides a detailed explanation of the attack scenario and suggests preventive measures to protect against CSRF and JSON-based attacks. Overall, the article highlights the importance of understanding and mitigating these security risks to safeguard user accounts and sensitive data.
172025-08-14 04:25:50 UTChttps://portswigger.net/web-security/csrfThe provided link discusses Cross-Site Request Forgery (CSRF) attacks, a type of web security vulnerability where an attacker tricks a user into unknowingly executing actions on a website they are authenticated with. The article likely covers how CSRF attacks work, their impact on web security, and methods to prevent them, such as using anti-CSRF tokens. It is important for web developers and users to understand CSRF risks and implement protective measures to safeguard against such attacks.
182025-08-14 04:25:48 UTChttps://m0z.co/Exploiting-Post-Based-CSRF/I'm sorry, but I am unable to access external content or URLs. If you provide me with the main points or key ideas from the content, I'd be happy to help summarize it for you in 100 words or less.
192025-08-14 04:25:46 UTChttps://link.medium.com/KEV3enHoLWI'm unable to access external content such as the one you provided. If you can provide a brief overview or key points from the content, I'd be happy to help summarize it for you.
202023-10-31 12:47:38 UTCssrfThe content mentions "ssrf" and provides a link: https://ift.tt/vybYKpI. The term "ssrf" likely refers to Server-Side Request Forgery, a type of security vulnerability. The link appears to lead to a specific resource related to ssrf. It is advisable to exercise caution when interacting with such links and to ensure that they are safe and trustworthy before accessing them.
212021-04-13 21:23:51 UTCAvoiding CSRF Attacks with API DesignThe content provided does not relate to avoiding CSRF attacks with API design. It is a brief introduction to Jason Walton, who is a software developer and photographer.
222020-02-14 14:50:44 UTCSamesite by Default and What It Means for Bug Bounty HuntersThe blog post discusses the impact of the "SameSite by Default" feature on bug bounty hunters. It highlights how this feature affects the ability to find and report security vulnerabilities in web applications. The authors, Filedescriptor, Ron Chan, and Edoverflow, provide insights into the challenges and opportunities this change brings for security researchers. The post likely delves into strategies for adapting to this new security measure and navigating its implications for bug bounty programs.
232020-01-19 15:41:03 UTCFacebook GraphQL CSRF – These aren't the access_tokens you're looking forA CSRF-style query on business.instagram.com allowed unauthorized GraphQL calls. A bug was found in the "View the Assigned Roles and Emails of an Instagram Account" feature. The issue was discovered during authorization on business.instagram.com/login. Users without an Instagram Business account encountered an error page. This vulnerability highlights a potential security risk in Facebook's GraphQL system.
242019-09-19 11:15:19 UTChttps://m0z.co/Exploiting-Post-Based-CSRF/I'm sorry, but I can't access external content or links. If you provide me with the main points or key ideas from the content, I'd be happy to help summarize it for you.
252019-03-13 04:12:11 UTCBrute Forcing User IDS via CSRF To Delete all Users with CSRF attack.The content discusses testing an application with a "Delete User" module allowing admins to delete any user. The focus is on brute-forcing user IDs via CSRF (Cross-Site Request Forgery) to delete all users using a CSRF attack. This highlights a potential security vulnerability where an attacker could exploit CSRF to delete multiple users without authorization.
262019-02-10 03:07:33 UTCWordPress Front End Security: CSRF and Nonces | CSS-TricksThe content discusses WordPress front-end security, focusing on Cross-Site Request Forgery (CSRF) and Nonces. It is a continuation from a previous article that covered Cross-Site Scripting (XSS) and WordPress functions to prevent XSS attacks. CSRF and Nonces are important security measures to protect WordPress websites from unauthorized actions and malicious attacks. The article aims to educate readers on implementing these security features to enhance the overall security of WordPress websites.
272018-06-26 04:39:07 UTCSelf-XSS + CSRF to Stored XSSRenwa from Kurdistan is excited to share their first write-up on information security and bug bounties.
282018-06-07 16:18:34 UTCLeaking Amazon.com CSRF Tokens Using Service Worker API • Abdullah HussamThe content discusses the discovery of a potential security vulnerability at Amazon.com that could result in a complete account takeover. The focus is on leaking Amazon.com CSRF tokens using the Service Worker API. The author, Abdullah Hussam, shares this finding as a cautionary note to raise awareness about the security implications of such vulnerabilities.
292018-04-30 22:25:03 UTCSteal CSRF/Auth/Unique key Header with XSSThe content is incomplete and lacks specific information to provide a concise summary.
302018-04-06 00:48:40 UTCA Deep Dive into CSRF Protection in Rails – Ruby Inside – MediumThe content discusses CSRF protection in Rails, with updates reflecting code changes in Rails 6 as of June 2019. CSRF protection is crucial for securing web applications against malicious attacks. The article likely delves into the mechanisms and best practices for implementing CSRF protection in Ruby on Rails applications, emphasizing the importance of staying updated with the latest changes to ensure robust security measures.
312018-01-02 02:44:20 UTC0ang3el/EasyCSRFThe content is a call to action to contribute to the development of EasyCSRF by creating a GitHub account. The project, hosted on the 0ang3el GitHub repository, invites users to participate in its development by signing up and collaborating on the codebase.
322017-02-22 05:00:27 UTCCross-Site Request Forgery is dead!Cross-Site Request Forgery (CSRF) has been a longstanding issue on the web, but a new solution called Same-Site Cookies has emerged to address it effectively. This development marks a significant advancement in web security, potentially rendering CSRF obsolete.
332016-10-17 01:52:01 UTCPaypal bug bounty: Updating the Paypal.me profile picture without consent (The content appears to be about a bug bounty program related to Paypal, specifically focusing on a bug that allows updating the Paypal.me profile picture without the account owner's consent. This type of vulnerability could potentially lead to unauthorized changes to user profiles. PayPal likely offers rewards or bounties to individuals who discover and report such security flaws in their systems.