Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) is an attack that forces an authenticated user to execute unwanted actions on a web application. CSRF attacks target state-changing requests — not data theft — since the attacker cannot see the response to the forged request.
CSRF exploits the browser's automatic inclusion of credentials (cookies, HTTP auth) with every request to a domain. If a user is logged into a banking site and visits a malicious page, that page can submit a hidden form to the banking site — and the browser will attach the user's session cookie automatically. The impact ranges from changing email addresses and passwords to transferring funds and modifying account settings.
While SameSite cookie attributes and CSRF tokens have significantly reduced the attack surface, bypasses continue to emerge. Common techniques include exploiting misconfigured SameSite policies, token fixation, subdomain takeover to bypass origin checks, and leveraging CORS misconfigurations. JSON-based CSRF using Flash or content-type tricks has historically been a rich area for bypasses, and new browser behaviors regularly shift what's exploitable.
CSRF is often combined with other vulnerabilities — an XSS bug can extract CSRF tokens, and open redirects can be used to leak tokens through the Referer header.
This page collects CSRF research, bypass techniques, defense mechanisms, and real-world writeups demonstrating exploitation in modern applications.
From OWASP
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-04-10 NEW 2026 | Web Application Security: Anti-CSRF & Cookie SameSite Options | Web Application Security: Anti-CSRF & Cookie SameSite Options |
| 2026-04-10 NEW 2026 | CSRF Protection - Clerk Docs | CSRF Protection - Clerk Docs |
| 2026-04-10 NEW 2026 | Preventing CSRF with the SameSite Cookie Attribute | Preventing CSRF with the SameSite Cookie Attribute |
| 2026-04-10 NEW 2026 | CSRF Attacks: Bypassing SameSite Cookies | CSRF Attacks: Bypassing SameSite Cookies |
| 2026-04-10 NEW 2026 | Advanced CSRF: How to Bypass SameSite Cookie Protections | Advanced CSRF: How to Bypass SameSite Cookie Protections |
| 2026-04-10 NEW 2026 | CSRF & Bypasses - Cobalt | CSRF & Bypasses - Cobalt |
| 2026-04-10 NEW 2026 | Cross-site request forgery - Wikipedia | Cross-site request forgery - Wikipedia |
| 2026-04-10 NEW 2026 | CSRF - OWASP Foundation | CSRF - OWASP Foundation |
| 2026-04-10 NEW 2026 | CSRF: Cross Site Request Forgery Example - Imperva | CSRF: Cross Site Request Forgery Example - Imperva |
| 2026-04-10 NEW 2026 | CWE-352: Cross-Site Request Forgery | CWE-352: Cross-Site Request Forgery |
| 2026-04-10 NEW 2026 | What Is CSRF? - Palo Alto Networks | What Is CSRF? - Palo Alto Networks |
| 2026-04-10 NEW 2026 | What is CSRF? Attacks, Mitigation, Prevention - Acunetix | What is CSRF? Attacks, Mitigation, Prevention - Acunetix |
| 2026-04-10 NEW 2026 | CSRF Attacks - Rapid7 | CSRF Attacks - Rapid7 |
| 2026-04-06 NEW 2026 | CVE-2026-25101: Bludit Authentication Bypass Vulnerability | CVE-2026-25101: Bludit Authentication Bypass Vulnerability |
| 2026-04-06 NEW 2026 | Cookies: HTTP State Management Mechanism (RFC 6265bis) | Cookies: HTTP State Management Mechanism (RFC 6265bis) |
| 2026-04-06 NEW 2026 | 3 Security Failure Modes in Vibe-Coded Apps | 3 Security Failure Modes in Vibe-Coded Apps |
| 2026-04-06 NEW 2026 | CVE-2026-34394: Wwbn Avideo CSRF Vulnerability | CVE-2026-34394: Wwbn Avideo CSRF Vulnerability |
| 2026-04-06 NEW 2026 | Cross-site request forgery (CSRF) - Security - MDN Web Docs | Cross-site request forgery (CSRF) - Security - MDN Web Docs |
| 2026-04-04 2026 | Diamond award for Bexhill and Hastings community group for retirees | Diamond award for Bexhill and Hastings community group for retirees https://ift.tt/eER5YBr |
| 2026-04-03 2026 | CSRF Exploitation Techniques — Flaws, Bypasses & SameSite Cookie Mechanics | CSRF Exploitation Techniques — Flaws, Bypasses & SameSite Cookie Mechanics |
| 2026-04-03 2026 | Lab: SameSite Lax Bypass via Cookie Refresh | PortSwigger | Lab: SameSite Lax Bypass via Cookie Refresh | PortSwigger |
| 2026-04-03 2026 | Lab: SameSite Lax Bypass via Method Override | PortSwigger | Lab: SameSite Lax Bypass via Method Override | PortSwigger |
| 2026-04-03 2026 | Advanced Techniques to Bypass CSRF Defenses | Advanced Techniques to Bypass CSRF Defenses |
| 2026-04-03 2026 | Cross-Site Request Forgery (CSRF) Attack Guide | Hackviser | Cross-Site Request Forgery (CSRF) Attack Guide | Hackviser |
| 2026-04-03 2026 | CSRF (Cross Site Request Forgery) | HackTricks | CSRF (Cross Site Request Forgery) | HackTricks |
| 2026-04-03 2026 | Bypassing SameSite Cookie Restrictions - CSRF | PortSwigger | Bypassing SameSite Cookie Restrictions - CSRF | PortSwigger |
| 2026-04-03 2026 | CSRF & Bypasses | Cobalt | CSRF & Bypasses | Cobalt |
| 2026-04-03 2026 | Cross-Site Request Forgery Prevention Cheat Sheet | OWASP | Cross-Site Request Forgery Prevention Cheat Sheet | OWASP |
| 2026-04-02 2026 | Diamond award for Bexhill and Hastings community group for retirees | Diamond award for Bexhill and Hastings community group for retirees https://ift.tt/GT76kYD |
| 2025-09-25 2025 | Side-by-Side Comparison of SSRF vs. CSRF | Attaxion | This content compares SSRF (Server-Side Request Forgery) and CSRF (Cross-Site Request Forgery) vulnerabilities, highlighting their distinctions in targets, impact, and mitigation strategies. It aims to provide a clear understanding of the variances between these two types of security risks. |
| 2025-08-14 2025 | devanshbatham/Vulnerabilities-Unmasked | The content provided is a GitHub repository named "Vulnerabilities-Unmasked" created by devanshbatham. The repository likely contains information related to vulnerabilities in software or systems that have been exposed or revealed. It appears to be a collection of security vulnerabilities that have been identified and documented. The content is brief and does not provide specific details about the vulnerabilities or their nature. |
| 2025-08-14 2025 | In Praise of CSRF Tokens – Tim MalcomVetter – Medium | The content titled "In Praise of CSRF Tokens" by Tim MalcomVetter on Medium likely discusses the importance and benefits of Cross-Site Request Forgery (CSRF) tokens in web security. CSRF tokens are used to prevent unauthorized actions on websites by verifying the origin of requests. The article may highlight how CSRF tokens enhance security measures and protect against malicious attacks. It likely emphasizes the significance of implementing CSRF tokens to safeguard user data and maintain the integrity of web applications. |
| 2025-08-14 2025 | Facebook GraphQL CSRF – These aren't the access_tokens you're looking for | The content seems to highlight a potential security issue related to Facebook's GraphQL service, specifically concerning Cross-Site Request Forgery (CSRF) attacks. It suggests that access tokens may not be the main target for such attacks. This implies that there may be vulnerabilities in the handling of GraphQL requests that could be exploited by malicious actors. It serves as a cautionary note for users and developers to be aware of potential CSRF risks when using Facebook's GraphQL service. |
| 2025-08-14 2025 | https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f | The content discusses Cross-Site Request Forgery (CSRF) attacks and the importance of implementing secure practices to prevent them. It highlights the risks associated with CSRF attacks, such as unauthorized actions on behalf of users. The author emphasizes the significance of using anti-CSRF tokens and secure coding practices to mitigate these risks. By incorporating these measures, websites can enhance their security and protect users from CSRF vulnerabilities. |
| 2025-08-14 2025 | https://www.purehacking.com/blog/andre-onofre-lima/bypassing-csrf-tokens-with-pythons-cgihttpserver | The content discusses bypassing CSRF tokens using Python's CGIHTTPServer. It explains how to exploit a vulnerability in web applications by using Python scripts to bypass CSRF protection mechanisms. The method involves setting up a local server to receive and process malicious requests, allowing attackers to manipulate user sessions. By understanding this technique, developers can strengthen their defenses against CSRF attacks. |
| 2025-08-14 2025 | web application - Should login and logout action have CSRF protection? - In | The content discusses whether login and logout actions in a web application should have Cross-Site Request Forgery (CSRF) protection. CSRF protection is important for login actions to prevent unauthorized access by malicious websites. However, it may not be necessary for logout actions as they typically do not involve sensitive data. Implementing CSRF protection for both actions can enhance security, but the level of protection needed should be based on the specific risks and requirements of the web application. |
| 2025-08-14 2025 | https://mixmax.com/blog/modern-csrf | The content discusses modern Cross-Site Request Forgery (CSRF) attacks and how they can be prevented. It highlights the importance of protecting against CSRF vulnerabilities by implementing secure coding practices and utilizing tools like SameSite cookies and CSRF tokens. The article emphasizes the significance of understanding the evolving nature of CSRF attacks and staying updated on best practices to safeguard web applications. It provides insights into the impact of CSRF attacks on user data security and suggests proactive measures to mitigate these risks effectively. |
| 2025-08-14 2025 | https://scotthelme.co.uk/csrf-is-dead/ | The content discusses the CSRF (Cross-Site Request Forgery) vulnerability and its decreasing relevance due to modern web security practices. It highlights the importance of SameSite cookies, Content Security Policy (CSP), and other security measures in mitigating CSRF attacks. The author emphasizes the need for developers to adopt these security measures to protect against CSRF vulnerabilities effectively. Overall, the article suggests that with the implementation of proper security measures, CSRF attacks are becoming less prevalent and less effective in compromising web applications. |
| 2025-08-14 2025 | oauth 2.0 - How does CSRF work without state parameter in OAuth2.0? - Stack | The content discusses the concept of Cross-Site Request Forgery (CSRF) in OAuth 2.0 and how it operates without the state parameter. CSRF attacks can occur when a malicious website tricks a user's browser into making unauthorized requests to a different site where the user is authenticated. The absence of the state parameter in OAuth 2.0 can make it vulnerable to CSRF attacks, potentially compromising user security. It is important to implement proper security measures to prevent CSRF attacks in OAuth 2.0 implementations. |
| 2025-08-14 2025 | Paypal bug bounty: Updating the Paypal.me profile picture without consent ( | The content likely discusses a bug bounty program related to Paypal.me, focusing on a specific issue where a profile picture can be updated without the user's consent. This type of vulnerability could potentially lead to privacy concerns and unauthorized changes to user profiles. It highlights the importance of identifying and fixing such bugs to ensure the security and privacy of users on the platform. |
| 2025-08-14 2025 | WordPress Front End Security: CSRF and Nonces | CSS-Tricks | The content titled "WordPress Front End Security: CSRF and Nonces" on CSS-Tricks likely discusses security measures related to Cross-Site Request Forgery (CSRF) and Nonces in WordPress websites. CSRF protection helps prevent unauthorized actions, while Nonces are security tokens used to verify the origin of requests. The article may delve into how these security features are implemented in WordPress to safeguard against malicious attacks on the front end of websites. |
| 2025-08-14 2025 | ruby - Sinatra CSRF Authenticity tokens - Stack Overflow | The content is about using CSRF (Cross-Site Request Forgery) authenticity tokens in a Ruby web application built with Sinatra. This security measure helps prevent unauthorized actions by verifying the origin of requests. The discussion likely involves implementing CSRF protection in Sinatra applications to enhance security and protect against malicious attacks. The content seems to be a question or discussion thread related to this topic on the Stack Overflow platform. |
| 2025-08-14 2025 | Avoiding CSRF Attacks with API Design | The content is about preventing Cross-Site Request Forgery (CSRF) attacks through effective API design. CSRF attacks exploit the trust a website has in a user's browser to perform unauthorized actions. By designing APIs with security in mind, developers can implement measures to prevent CSRF attacks, such as using tokens or headers to validate requests. Proper API design can help protect against CSRF vulnerabilities and ensure the security of web applications. |
| 2025-08-14 2025 | Samesite by Default and What It Means for Bug Bounty Hunters | The content seems to discuss the impact of the "SameSite by Default" attribute on bug bounty hunters. This attribute is a security feature that restricts cookies to first-party contexts by default, enhancing user privacy and security. Bug bounty hunters may need to adapt their testing strategies to account for this change, as it affects how they can discover and report vulnerabilities related to cookies. Understanding the implications of SameSite by Default is crucial for bug bounty hunters to effectively identify and address security issues in web applications. |
| 2025-08-14 2025 | Bypass SameSite Cookies Default to Lax and get CSRF | The content highlights a security vulnerability where bypassing SameSite cookies set to the default "Lax" mode can lead to Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows malicious actors to exploit the lax SameSite cookie setting to perform unauthorized actions on behalf of a user. It emphasizes the importance of properly configuring SameSite cookie settings to prevent CSRF attacks and ensure the security of web applications. |
| 2025-08-14 2025 | https://link.medium.com/fsUnTVniS0 | I'm sorry, but I am unable to access external content such as the Medium link you provided. If you could provide a brief overview or key points from the content, I would be happy to help summarize it for you in 100 words or less. |
| 2025-08-14 2025 | https://link.medium.com/eRtuh4nQVZ | I'm unable to access external content to provide a summary. If you could provide the main points or key ideas from the content, I'd be happy to help summarize it for you. |
| 2025-08-14 2025 | https://link.medium.com/FPn7EsRFvZ | I'm unable to access external content. If you provide me with the key points or a brief summary of the content, I'd be happy to help summarize it for you. |
| 2025-08-14 2025 | https://link.medium.com/d496ONHsdZ | I'm sorry, but I am unable to access external content such as the Medium link provided. If you can provide a brief overview or key points from the content, I'd be happy to help summarize it for you within 100 words or less. |
| 2025-08-14 2025 | https://medium.com/@shub66452/account-takeover-using-csrf-json-based-a0e6efd1bffc | The article discusses a security vulnerability known as Cross-Site Request Forgery (CSRF) that can lead to an account takeover when combined with JSON-based attacks. It explains how CSRF works, the impact it can have on user accounts, and how attackers can exploit it to gain unauthorized access. The author provides a detailed explanation of the attack scenario and suggests preventive measures to protect against CSRF and JSON-based attacks. Overall, the article highlights the importance of understanding and mitigating these security risks to safeguard user accounts and sensitive data. |
| 2025-08-14 2025 | https://portswigger.net/web-security/csrf | The provided link discusses Cross-Site Request Forgery (CSRF) attacks, a type of web security vulnerability where an attacker tricks a user into unknowingly executing actions on a website they are authenticated with. The article likely covers how CSRF attacks work, their impact on web security, and methods to prevent them, such as using anti-CSRF tokens. It is important for web developers and users to understand CSRF risks and implement protective measures to safeguard against such attacks. |
| 2025-08-14 2025 | https://m0z.co/Exploiting-Post-Based-CSRF/ | I'm sorry, but I am unable to access external content or URLs. If you provide me with the main points or key ideas from the content, I'd be happy to help summarize it for you in 100 words or less. |
| 2025-08-14 2025 | https://link.medium.com/KEV3enHoLW | I'm unable to access external content such as the one you provided. If you can provide a brief overview or key points from the content, I'd be happy to help summarize it for you. |
| 2023-10-31 2023 | ssrf | The content mentions "ssrf" and provides a link: https://ift.tt/vybYKpI. The term "ssrf" likely refers to Server-Side Request Forgery, a type of security vulnerability. The link appears to lead to a specific resource related to ssrf. It is advisable to exercise caution when interacting with such links and to ensure that they are safe and trustworthy before accessing them. |
| 2021-04-13 2021 | Avoiding CSRF Attacks with API Design | The content provided does not relate to avoiding CSRF attacks with API design. It is a brief introduction to Jason Walton, who is a software developer and photographer. |
| 2020-02-14 2020 | Samesite by Default and What It Means for Bug Bounty Hunters | The blog post discusses the impact of the "SameSite by Default" feature on bug bounty hunters. It highlights how this feature affects the ability to find and report security vulnerabilities in web applications. The authors, Filedescriptor, Ron Chan, and Edoverflow, provide insights into the challenges and opportunities this change brings for security researchers. The post likely delves into strategies for adapting to this new security measure and navigating its implications for bug bounty programs. |
| 2020-01-19 2020 | Facebook GraphQL CSRF – These aren't the access_tokens you're looking for | A CSRF-style query on business.instagram.com allowed unauthorized GraphQL calls. A bug was found in the "View the Assigned Roles and Emails of an Instagram Account" feature. The issue was discovered during authorization on business.instagram.com/login. Users without an Instagram Business account encountered an error page. This vulnerability highlights a potential security risk in Facebook's GraphQL system. |
| 2019-09-19 2019 | https://m0z.co/Exploiting-Post-Based-CSRF/ | I'm sorry, but I can't access external content or links. If you provide me with the main points or key ideas from the content, I'd be happy to help summarize it for you. |
| 2019-03-13 2019 | Brute Forcing User IDS via CSRF To Delete all Users with CSRF attack. | The content discusses testing an application with a "Delete User" module allowing admins to delete any user. The focus is on brute-forcing user IDs via CSRF (Cross-Site Request Forgery) to delete all users using a CSRF attack. This highlights a potential security vulnerability where an attacker could exploit CSRF to delete multiple users without authorization. |
| 2019-02-10 2019 | WordPress Front End Security: CSRF and Nonces | CSS-Tricks | The content discusses WordPress front-end security, focusing on Cross-Site Request Forgery (CSRF) and Nonces. It is a continuation from a previous article that covered Cross-Site Scripting (XSS) and WordPress functions to prevent XSS attacks. CSRF and Nonces are important security measures to protect WordPress websites from unauthorized actions and malicious attacks. The article aims to educate readers on implementing these security features to enhance the overall security of WordPress websites. |
| 2018-06-26 2018 | Self-XSS + CSRF to Stored XSS | Renwa from Kurdistan is excited to share their first write-up on information security and bug bounties. |
| 2018-04-30 2018 | Steal CSRF/Auth/Unique key Header with XSS | The content is incomplete and lacks specific information to provide a concise summary. |
| 2018-04-06 2018 | A Deep Dive into CSRF Protection in Rails – Ruby Inside – Medium | The content discusses CSRF protection in Rails, with updates reflecting code changes in Rails 6 as of June 2019. CSRF protection is crucial for securing web applications against malicious attacks. The article likely delves into the mechanisms and best practices for implementing CSRF protection in Ruby on Rails applications, emphasizing the importance of staying updated with the latest changes to ensure robust security measures. |
| 2018-01-02 2018 | 0ang3el/EasyCSRF | The content is a call to action to contribute to the development of EasyCSRF by creating a GitHub account. The project, hosted on the 0ang3el GitHub repository, invites users to participate in its development by signing up and collaborating on the codebase. |
| 2017-02-22 2017 | Cross-Site Request Forgery is dead! | Cross-Site Request Forgery (CSRF) has been a longstanding issue on the web, but a new solution called Same-Site Cookies has emerged to address it effectively. This development marks a significant advancement in web security, potentially rendering CSRF obsolete. |
| 2016-10-17 2016 | Paypal bug bounty: Updating the Paypal.me profile picture without consent ( | The content appears to be about a bug bounty program related to Paypal, specifically focusing on a bug that allows updating the Paypal.me profile picture without the account owner's consent. This type of vulnerability could potentially lead to unauthorized changes to user profiles. PayPal likely offers rewards or bounties to individuals who discover and report such security flaws in their systems. |
Frequently Asked Questions
- What is CSRF and how does it work?
- Cross-Site Request Forgery forces an authenticated user's browser to send an unwanted request to a web application. It exploits the browser's automatic inclusion of cookies with every request to a domain. If a user is logged into Site A and visits a malicious page, that page can submit hidden forms or trigger requests to Site A using the user's session.
- How do SameSite cookies prevent CSRF?
- The SameSite cookie attribute restricts when cookies are sent with cross-origin requests. SameSite=Strict blocks cookies on all cross-site requests. SameSite=Lax (the modern default) allows cookies only for top-level GET navigations, blocking them for POST forms and subresource requests from other origins.
- Is CSRF still relevant with modern frameworks?
- CSRF is less common but not eliminated. SameSite=Lax defaults and framework-level CSRF tokens have reduced the attack surface significantly. However, misconfigurations, subdomain takeover, and APIs that rely on cookie authentication without CSRF tokens remain exploitable. JSON-based CSRF and cross-origin attacks through CORS misconfigurations are active areas of research.
Weekly AppSec Digest
Get new resources delivered every Monday.