Web Security beginner 45 mins

Cross-Site Request Forgery

Learn CSRF attacks and defenses through focused security exercises.

Hands-on Labs
Real-world Scenarios
Immediate Feedback
1

Introduction to CSRF

theory

Learn the fundamentals of Cross-Site Request Forgery attacks and their impact.

What is Cross-Site Request Forgery (CSRF)?

Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit unintended requests to a web application. The attacker tricks the victim into executing unwanted actions on a web application where they are currently authenticated.

How CSRF Works

  1. User logs into a legitimate website, such as online banking.
  2. User visits a malicious website while still logged in.
  3. Malicious site sends a request to the legitimate site using the user’s session.
  4. The legitimate site processes the request as if the user intended it.

Common CSRF Attack Vectors

  • HTML Forms: Auto-submitting forms with hidden fields
  • Image Tags: Using img src to trigger GET requests
  • JavaScript: AJAX requests from malicious sites
  • Links: Tricking users to click malicious links

Example CSRF Attack

<!-- Malicious HTML page -->
<form action="https://bank.com/transfer" method="POST" id="csrf-form">
    <input type="hidden" name="amount" value="1000">
    <input type="hidden" name="to_account" value="attacker_account">
</form>
<script>document.getElementById('csrf-form').submit();</script>

Impact of CSRF

  • Unauthorized fund transfers
  • Account settings changes
  • Password modifications
  • Data deletion or modification

Knowledge Check

What is required for a CSRF attack to be successful?