https://appsec.fyi/csrf.html Curated CSRF resources from appsec.fyi en-us Sun, 12 Apr 2026 16:40:01 +0000 carl@chs.us (Carl Sampson) https://www.bitsight.com/blog/web-application-security-devops-anti-csrf-and-cookie-samesite-options https://www.bitsight.com/blog/web-application-security-devops-anti-csrf-and-cookie-samesite-options Web Application Security: Anti-CSRF & Cookie SameSite Options CSRF Fri, 10 Apr 2026 01:56:25 +0000 https://clerk.com/docs/guides/secure/best-practices/csrf-protection https://clerk.com/docs/guides/secure/best-practices/csrf-protection CSRF Protection - Clerk Docs CSRF Fri, 10 Apr 2026 01:56:24 +0000 https://www.invicti.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery https://www.invicti.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery Preventing CSRF with the SameSite Cookie Attribute CSRF Fri, 10 Apr 2026 01:56:24 +0000 https://blog.cybersamir.com/csrf-attacks-bypassing-samesite-cookies/ https://blog.cybersamir.com/csrf-attacks-bypassing-samesite-cookies/ CSRF Attacks: Bypassing SameSite Cookies CSRF Fri, 10 Apr 2026 01:56:22 +0000 https://sajjapremsai.github.io/blogs/2025/06/28/adva-csrf/ https://sajjapremsai.github.io/blogs/2025/06/28/adva-csrf/ Advanced CSRF: How to Bypass SameSite Cookie Protections CSRF Fri, 10 Apr 2026 01:56:22 +0000 https://www.cobalt.io/learning-center/csrf-bypasses https://www.cobalt.io/learning-center/csrf-bypasses CSRF & Bypasses - Cobalt CSRF Fri, 10 Apr 2026 01:56:21 +0000 https://en.wikipedia.org/wiki/Cross-site_request_forgery https://en.wikipedia.org/wiki/Cross-site_request_forgery Cross-site request forgery - Wikipedia CSRF Fri, 10 Apr 2026 01:43:55 +0000 https://owasp.org/www-community/attacks/csrf https://owasp.org/www-community/attacks/csrf CSRF - OWASP Foundation CSRF Fri, 10 Apr 2026 01:43:54 +0000 https://www.imperva.com/learn/application-security/csrf-cross-site-request-forgery/ https://www.imperva.com/learn/application-security/csrf-cross-site-request-forgery/ CSRF: Cross Site Request Forgery Example - Imperva CSRF Fri, 10 Apr 2026 01:43:54 +0000 https://cwe.mitre.org/data/definitions/352.html https://cwe.mitre.org/data/definitions/352.html CWE-352: Cross-Site Request Forgery CSRF Fri, 10 Apr 2026 01:43:53 +0000 https://www.paloaltonetworks.com/cyberpedia/csrf-cross-site-request-forgery https://www.paloaltonetworks.com/cyberpedia/csrf-cross-site-request-forgery What Is CSRF? - Palo Alto Networks CSRF Fri, 10 Apr 2026 01:43:52 +0000 https://www.acunetix.com/websitesecurity/csrf-attacks/ https://www.acunetix.com/websitesecurity/csrf-attacks/ What is CSRF? Attacks, Mitigation, Prevention - Acunetix CSRF Fri, 10 Apr 2026 01:43:51 +0000 https://www.rapid7.com/fundamentals/cross-site-request-forgery/ https://www.rapid7.com/fundamentals/cross-site-request-forgery/ CSRF Attacks - Rapid7 CSRF Fri, 10 Apr 2026 01:43:51 +0000 https://www.sentinelone.com/vulnerability-database/cve-2026-25101/ https://www.sentinelone.com/vulnerability-database/cve-2026-25101/ CVE-2026-25101: Bludit Authentication Bypass Vulnerability CSRF Mon, 06 Apr 2026 02:01:20 +0000 https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html Cookies: HTTP State Management Mechanism (RFC 6265bis) CSRF Mon, 06 Apr 2026 02:01:19 +0000 https://aiweekender.substack.com/p/3-security-failure-modes-in-vibe https://aiweekender.substack.com/p/3-security-failure-modes-in-vibe 3 Security Failure Modes in Vibe-Coded Apps CSRF Mon, 06 Apr 2026 02:01:18 +0000 https://www.sentinelone.com/vulnerability-database/cve-2026-34394/ https://www.sentinelone.com/vulnerability-database/cve-2026-34394/ CVE-2026-34394: Wwbn Avideo CSRF Vulnerability CSRF Mon, 06 Apr 2026 02:01:16 +0000 https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/CSRF https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/CSRF Cross-site request forgery (CSRF) - Security - MDN Web Docs CSRF Mon, 06 Apr 2026 02:01:15 +0000 https://www.msn.com/en-gb/money/other/diamond-award-for-bexhill-and-hastings-community-group-for-retirees/ar-AA1ZiWKK https://www.msn.com/en-gb/money/other/diamond-award-for-bexhill-and-hastings-community-group-for-retirees/ar-AA1ZiWKK Diamond award for Bexhill and Hastings community group for retirees https://ift.tt/eER5YBr CSRF Sat, 04 Apr 2026 19:17:47 +0000 https://medium.com/@agarwaldaksh18/%EF%B8%8F-day-7-csrf-exploitation-techniques-flaws-bypasses-samesite-cookie-mechanics-c6b5999c3d7d https://medium.com/@agarwaldaksh18/%EF%B8%8F-day-7-csrf-exploitation-techniques-flaws-bypasses-samesite-cookie-mechanics-c6b5999c3d7d CSRF Exploitation Techniques — Flaws, Bypasses & SameSite Cookie Mechanics CSRF Fri, 03 Apr 2026 15:57:17 +0000 https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-strict-bypass-via-cookie-refresh https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-strict-bypass-via-cookie-refresh Lab: SameSite Lax Bypass via Cookie Refresh | PortSwigger CSRF Fri, 03 Apr 2026 15:57:15 +0000 https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-lax-bypass-via-method-override https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-lax-bypass-via-method-override Lab: SameSite Lax Bypass via Method Override | PortSwigger CSRF Fri, 03 Apr 2026 15:57:14 +0000 https://medium.com/h7w/cracking-the-code-advanced-techniques-to-bypass-csrf-defenses-139333fb3202 https://medium.com/h7w/cracking-the-code-advanced-techniques-to-bypass-csrf-defenses-139333fb3202 Advanced Techniques to Bypass CSRF Defenses CSRF Fri, 03 Apr 2026 15:57:12 +0000 https://hackviser.com/tactics/pentesting/web/csrf https://hackviser.com/tactics/pentesting/web/csrf Cross-Site Request Forgery (CSRF) Attack Guide | Hackviser CSRF Fri, 03 Apr 2026 15:57:11 +0000 https://book.hacktricks.xyz/pentesting-web/csrf-cross-site-request-forgery https://book.hacktricks.xyz/pentesting-web/csrf-cross-site-request-forgery CSRF (Cross Site Request Forgery) | HackTricks CSRF Fri, 03 Apr 2026 15:57:09 +0000 https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions Bypassing SameSite Cookie Restrictions - CSRF | PortSwigger CSRF Fri, 03 Apr 2026 15:57:08 +0000 https://www.cobalt.io/blog/csrf-bypasses https://www.cobalt.io/blog/csrf-bypasses CSRF & Bypasses | Cobalt CSRF Fri, 03 Apr 2026 15:57:07 +0000 https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html Cross-Site Request Forgery Prevention Cheat Sheet | OWASP CSRF Fri, 03 Apr 2026 15:57:05 +0000 https://www.msn.com/en-gb/money/other/diamond-award-for-bexhill-and-hastings-community-group-for-retirees/ar-AA1ZiWKK?apiversion https://www.msn.com/en-gb/money/other/diamond-award-for-bexhill-and-hastings-community-group-for-retirees/ar-AA1ZiWKK?apiversion Diamond award for Bexhill and Hastings community group for retirees https://ift.tt/GT76kYD CSRF Thu, 02 Apr 2026 19:57:48 +0000 https://attaxion.com/blog/ssrf-vs-csrf-difference/?utm_content=348759727&utm_medium=social&utm_source=twitter&hss_channel=tw-1684349675367694336 https://attaxion.com/blog/ssrf-vs-csrf-difference/?utm_content=348759727&utm_medium=social&utm_source=twitter&hss_channel=tw-1684349675367694336 This content compares SSRF (Server-Side Request Forgery) and CSRF (Cross-Site Request Forgery) vulnerabilities, highlighting their distinctions in targets, impact, and mitigation strategies. It aims to provide a clear understanding of the variances between these two types of security risks. CSRF Thu, 25 Sep 2025 02:49:55 +0000 https://github.com/devanshbatham/Vulnerabilities-Unmasked https://github.com/devanshbatham/Vulnerabilities-Unmasked The content provided is a GitHub repository named "Vulnerabilities-Unmasked" created by devanshbatham. The repository likely contains information related to vulnerabilities in software or systems that have been exposed or revealed. It appears to be a collection of security vulnerabilities that have been identified and documented. The content is brief and does not provide specific details about the vulnerabilities or their nature. CSRF Thu, 14 Aug 2025 04:26:39 +0000 https://medium.com/@malcomvetter/in-praise-of-csrf-tokens-9ff556ac2ea0 https://medium.com/@malcomvetter/in-praise-of-csrf-tokens-9ff556ac2ea0 The content titled "In Praise of CSRF Tokens" by Tim MalcomVetter on Medium likely discusses the importance and benefits of Cross-Site Request Forgery (CSRF) tokens in web security. CSRF tokens are used to prevent unauthorized actions on websites by verifying the origin of requests. The article may highlight how CSRF tokens enhance security measures and protect against malicious attacks. It likely emphasizes the significance of implementing CSRF tokens to safeguard user data and maintain the integrity of web applications. CSRF Thu, 14 Aug 2025 04:26:37 +0000 https://philippeharewood.com/facebook-graphql-csrf/ https://philippeharewood.com/facebook-graphql-csrf/ The content seems to highlight a potential security issue related to Facebook's GraphQL service, specifically concerning Cross-Site Request Forgery (CSRF) attacks. It suggests that access tokens may not be the main target for such attacks. This implies that there may be vulnerabilities in the handling of GraphQL requests that could be exploited by malicious actors. It serves as a cautionary note for users and developers to be aware of potential CSRF risks when using Facebook's GraphQL service. CSRF Thu, 14 Aug 2025 04:26:33 +0000 https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f The content discusses Cross-Site Request Forgery (CSRF) attacks and the importance of implementing secure practices to prevent them. It highlights the risks associated with CSRF attacks, such as unauthorized actions on behalf of users. The author emphasizes the significance of using anti-CSRF tokens and secure coding practices to mitigate these risks. By incorporating these measures, websites can enhance their security and protect users from CSRF vulnerabilities. CSRF Thu, 14 Aug 2025 04:26:29 +0000 https://www.purehacking.com/blog/andre-onofre-lima/bypassing-csrf-tokens-with-pythons-cgihttpserver https://www.purehacking.com/blog/andre-onofre-lima/bypassing-csrf-tokens-with-pythons-cgihttpserver The content discusses bypassing CSRF tokens using Python's CGIHTTPServer. It explains how to exploit a vulnerability in web applications by using Python scripts to bypass CSRF protection mechanisms. The method involves setting up a local server to receive and process malicious requests, allowing attackers to manipulate user sessions. By understanding this technique, developers can strengthen their defenses against CSRF attacks. CSRF Thu, 14 Aug 2025 04:26:25 +0000 https://security.stackexchange.com/questions/62769/should-login-and-logout-action-have-csrf-protection https://security.stackexchange.com/questions/62769/should-login-and-logout-action-have-csrf-protection The content discusses whether login and logout actions in a web application should have Cross-Site Request Forgery (CSRF) protection. CSRF protection is important for login actions to prevent unauthorized access by malicious websites. However, it may not be necessary for logout actions as they typically do not involve sensitive data. Implementing CSRF protection for both actions can enhance security, but the level of protection needed should be based on the specific risks and requirements of the web application. CSRF Thu, 14 Aug 2025 04:26:21 +0000 https://mixmax.com/blog/modern-csrf https://mixmax.com/blog/modern-csrf The content discusses modern Cross-Site Request Forgery (CSRF) attacks and how they can be prevented. It highlights the importance of protecting against CSRF vulnerabilities by implementing secure coding practices and utilizing tools like SameSite cookies and CSRF tokens. The article emphasizes the significance of understanding the evolving nature of CSRF attacks and staying updated on best practices to safeguard web applications. It provides insights into the impact of CSRF attacks on user data security and suggests proactive measures to mitigate these risks effectively. CSRF Thu, 14 Aug 2025 04:26:19 +0000 https://scotthelme.co.uk/csrf-is-dead/ https://scotthelme.co.uk/csrf-is-dead/ The content discusses the CSRF (Cross-Site Request Forgery) vulnerability and its decreasing relevance due to modern web security practices. It highlights the importance of SameSite cookies, Content Security Policy (CSP), and other security measures in mitigating CSRF attacks. The author emphasizes the need for developers to adopt these security measures to protect against CSRF vulnerabilities effectively. Overall, the article suggests that with the implementation of proper security measures, CSRF attacks are becoming less prevalent and less effective in compromising web applications. CSRF Thu, 14 Aug 2025 04:26:17 +0000 http://stackoverflow.com/questions/35985551/how-does-csrf-work-without-state-parameter-in-oauth2-0 http://stackoverflow.com/questions/35985551/how-does-csrf-work-without-state-parameter-in-oauth2-0 The content discusses the concept of Cross-Site Request Forgery (CSRF) in OAuth 2.0 and how it operates without the state parameter. CSRF attacks can occur when a malicious website tricks a user's browser into making unauthorized requests to a different site where the user is authenticated. The absence of the state parameter in OAuth 2.0 can make it vulnerable to CSRF attacks, potentially compromising user security. It is important to implement proper security measures to prevent CSRF attacks in OAuth 2.0 implementations. CSRF Thu, 14 Aug 2025 04:26:15 +0000 https://hethical.io/paypal-bug-bounty-updating-the-paypal-me-profile-picture-without-consent-csrf-attack/ https://hethical.io/paypal-bug-bounty-updating-the-paypal-me-profile-picture-without-consent-csrf-attack/ The content likely discusses a bug bounty program related to Paypal.me, focusing on a specific issue where a profile picture can be updated without the user's consent. This type of vulnerability could potentially lead to privacy concerns and unauthorized changes to user profiles. It highlights the importance of identifying and fixing such bugs to ensure the security and privacy of users on the platform. CSRF Thu, 14 Aug 2025 04:26:13 +0000 https://css-tricks.com/wordpress-front-end-security-csrf-and-nonces/ https://css-tricks.com/wordpress-front-end-security-csrf-and-nonces/ The content titled "WordPress Front End Security: CSRF and Nonces" on CSS-Tricks likely discusses security measures related to Cross-Site Request Forgery (CSRF) and Nonces in WordPress websites. CSRF protection helps prevent unauthorized actions, while Nonces are security tokens used to verify the origin of requests. The article may delve into how these security features are implemented in WordPress to safeguard against malicious attacks on the front end of websites. CSRF Thu, 14 Aug 2025 04:26:11 +0000 http://stackoverflow.com/questions/11451161/sinatra-csrf-authenticity-tokens http://stackoverflow.com/questions/11451161/sinatra-csrf-authenticity-tokens The content is about using CSRF (Cross-Site Request Forgery) authenticity tokens in a Ruby web application built with Sinatra. This security measure helps prevent unauthorized actions by verifying the origin of requests. The discussion likely involves implementing CSRF protection in Sinatra applications to enhance security and protect against malicious attacks. The content seems to be a question or discussion thread related to this topic on the Stack Overflow platform. CSRF Thu, 14 Aug 2025 04:26:09 +0000 http://www.thedreaming.org/2020/05/26/avoid-csrf-attacks-with-api-design/ http://www.thedreaming.org/2020/05/26/avoid-csrf-attacks-with-api-design/ The content is about preventing Cross-Site Request Forgery (CSRF) attacks through effective API design. CSRF attacks exploit the trust a website has in a user's browser to perform unauthorized actions. By designing APIs with security in mind, developers can implement measures to prevent CSRF attacks, such as using tokens or headers to validate requests. Proper API design can help protect against CSRF vulnerabilities and ensure the security of web applications. CSRF Thu, 14 Aug 2025 04:26:06 +0000 https://blog.reconless.com/samesite-by-default/ https://blog.reconless.com/samesite-by-default/ The content seems to discuss the impact of the "SameSite by Default" attribute on bug bounty hunters. This attribute is a security feature that restricts cookies to first-party contexts by default, enhancing user privacy and security. Bug bounty hunters may need to adapt their testing strategies to account for this change, as it affects how they can discover and report vulnerabilities related to cookies. Understanding the implications of SameSite by Default is crucial for bug bounty hunters to effectively identify and address security issues in web applications. CSRF Thu, 14 Aug 2025 04:26:04 +0000 https://medium.com/@renwa/bypass-samesite-cookies-default-to-lax-and-get-csrf-343ba09b9f2b https://medium.com/@renwa/bypass-samesite-cookies-default-to-lax-and-get-csrf-343ba09b9f2b The content highlights a security vulnerability where bypassing SameSite cookies set to the default "Lax" mode can lead to Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows malicious actors to exploit the lax SameSite cookie setting to perform unauthorized actions on behalf of a user. It emphasizes the importance of properly configuring SameSite cookie settings to prevent CSRF attacks and ensure the security of web applications. CSRF Thu, 14 Aug 2025 04:26:02 +0000 https://link.medium.com/fsUnTVniS0 https://link.medium.com/fsUnTVniS0 I'm sorry, but I am unable to access external content such as the Medium link you provided. If you could provide a brief overview or key points from the content, I would be happy to help summarize it for you in 100 words or less. CSRF Thu, 14 Aug 2025 04:26:00 +0000 https://link.medium.com/eRtuh4nQVZ https://link.medium.com/eRtuh4nQVZ I'm unable to access external content to provide a summary. If you could provide the main points or key ideas from the content, I'd be happy to help summarize it for you. CSRF Thu, 14 Aug 2025 04:25:58 +0000 https://link.medium.com/FPn7EsRFvZ https://link.medium.com/FPn7EsRFvZ I'm unable to access external content. If you provide me with the key points or a brief summary of the content, I'd be happy to help summarize it for you. CSRF Thu, 14 Aug 2025 04:25:56 +0000 https://link.medium.com/d496ONHsdZ https://link.medium.com/d496ONHsdZ I'm sorry, but I am unable to access external content such as the Medium link provided. If you can provide a brief overview or key points from the content, I'd be happy to help summarize it for you within 100 words or less. CSRF Thu, 14 Aug 2025 04:25:54 +0000 https://medium.com/@shub66452/account-takeover-using-csrf-json-based-a0e6efd1bffc https://medium.com/@shub66452/account-takeover-using-csrf-json-based-a0e6efd1bffc The article discusses a security vulnerability known as Cross-Site Request Forgery (CSRF) that can lead to an account takeover when combined with JSON-based attacks. It explains how CSRF works, the impact it can have on user accounts, and how attackers can exploit it to gain unauthorized access. The author provides a detailed explanation of the attack scenario and suggests preventive measures to protect against CSRF and JSON-based attacks. Overall, the article highlights the importance of understanding and mitigating these security risks to safeguard user accounts and sensitive data. CSRF Thu, 14 Aug 2025 04:25:52 +0000