Cross-Site Request Forgery (CSRF)
Last updated
Was this helpful?
Last updated
Was this helpful?
CSRF, short for Cross-site request forgery, is a type of web security flaw that enables an attacker to trick users into executing actions they didn't intend to do.
A simple example:
A vulnerable web application has the endpoint /updateProfile?id={userid}
When a POST
request is made to this endpoint the application:
Checks the ID is the current user
If it is, update the profile with the provided information in the request body
When the victim visits the attacker's malicious site, it will:
Send a request to the vulnerable web application
Because the user is logged into that application, the browser will include cookies (importantly, the session cookie)
The vulnerable application processes the request as normal since it came from the user
It's important to note that we need some user interaction for CSRF to work. Typically an attacker would place their payload on a site that they control, and try to entice the target with phishing emails, direct messages on social media, etc. Once the user clicks the link and lands on the page, the payload is triggered.
CSRF defences are now pretty common, so along with just finding places where users can carry out actions, we also need to be able to bypass defences that have not been properly implemented.
Other learning resources:
PortSwigger: Web Security Academy
The XSS Rat: Bug Bounty Beginner Methodology: CSRF
Swisskeyrepo:
Writeups:
Is the referer header being used to validate the request origin?
Do the cookies have SameSite set? (Chrome is lax by default)
Can we submit the request with GET?
Can we override HTTP methods with `X-Http-Method-Override: GET`
Can we override HTTP methods with `_method=POST`