what is csrf attack
What Is a CSRF Attack? (Quick Scoop)
A CSRF attack (Cross-Site Request Forgery) is when an attacker tricks a logged‑in user’s browser into sending unwanted requests to a website where that user is already authenticated, making the site think the user really intended to perform those actions.🧠 Simple definition
- CSRF = “drive‑by action” on your logged‑in accounts.
If you are logged into banking, email, or an admin panel, an attacker can craft a hidden request (like “transfer money” or “change email”) and get your browser to send it without your explicit approval.
- The site sees a valid session cookie, assumes it’s really you, and processes the request.
Think of it like someone forging your signature on a form while the bank still trusts that signature.
⚙️ How a CSRF attack works (step‑by‑step)
- You log in to a site
- Example:
samplebank.com, you authenticate and get a session cookie in your browser.
- Example:
- You stay logged in (cookie still valid)
- You open other tabs, maybe browse forums, email, social media. Your banking session is still active in the background.
- Attacker sends you a malicious link or page
- Via email, chat, or a website they control, they embed something like an auto‑submitting form or an image request that hits your bank.
- Your browser automatically includes your cookie
- It sends a POST/GET request to
samplebank.comwith your session cookie: the bank thinks it’s a legit request from you.
- It sends a POST/GET request to
- The action is performed
- This could be:
- Transferring funds
- Changing your email/password
- Deleting your account
- Changing security settings
- This could be:
If the victim is an admin , a CSRF on their account can compromise the entire application (e.g., creating new admin users, changing global settings).
🎯 What attackers usually target
Typical CSRF targets are any state‑changing operations where the browser includes authentication automatically:
- Money transfers or payment approvals
- Changing account email, phone number, or password
- Adding or modifying API keys
- Changing access roles or permissions (especially in admin panels)
- Deleting data or accounts
CSRF is not about stealing cookies directly; it’s about abusing the trust that a site has in your already‑authenticated session.
🧪 A quick example story
Bob is logged into
samplebank.comin one tab and reading a tech blog in another tab. The blog is controlled by an attacker. Inside the blog page, there’s a hidden form that auto‑submits a request to transfer 5,000 from Bob’s account to the attacker’s account onsamplebank.com. When Bob loads the page, his browser silently sends the POST request with his valid session cookie. The bank sees “authenticated Bob,” processes the transfer, and Bob later discovers the missing money.
Bob never clicked a “Transfer” button on the bank’s site—but the bank could not tell the request was forged.
🧩 How CSRF is different from XSS
Both are web application attacks but they target different trust relationships :
- CSRF : Exploits the trust the server has in the user’s browser (cookies, sessions).
- XSS : Exploits the trust the user has in the website , injecting malicious script into the site viewed by others.
They often show up together: XSS can be used to craft or strengthen CSRF attacks, but they are conceptually distinct.
🛡️ How websites prevent CSRF
Modern apps use several layered defenses to stop CSRF:
- CSRF tokens (anti‑forgery tokens)
- A secret, unpredictable value added to forms or AJAX requests.
- The server verifies the token on each state‑changing request. A random attacker page cannot guess this value.
- SameSite cookies
- Cookies marked
SameSite=LaxorSameSite=Strictare not sent with cross‑site requests, which greatly limits classic CSRF attack patterns.
- Cookies marked
- Checking Referer / Origin headers
- Server verifies that the request is coming from the same site, not from an attacker’s domain (not perfect, but an extra layer).
- Re‑authentication and explicit confirmation
- Asking the user for password/2FA or explicit confirmation for sensitive actions (e.g., “Are you sure you want to transfer money?”).
- Using secure frameworks and libraries
- Many modern frameworks (ASP.NET Core, Spring, Django, Rails, etc.) include built‑in anti‑CSRF protections that developers should enable/configure properly.
📌 Quick FAQ style recap
- Q: What is a CSRF attack in one line?
A: It’s when a malicious site tricks your browser into making unwanted, authenticated actions on another site where you’re logged in.
- Q: Does CSRF steal my password?
Not directly; it abuses your existing session to perform actions as you.
- Q: Is CSRF still relevant with modern browsers?
Yes, but it’s mitigated better now (SameSite cookies, framework protections); poorly configured or legacy apps are still at risk.
- Q: Who should care?
- Web developers (must implement proper defenses)
- Security testers / pentesters
- Anyone running financial, e‑commerce, or admin panels on the web
🧾 SEO-style meta description
Cross-Site Request Forgery (CSRF) is a web attack where a malicious site tricks a logged-in user’s browser into performing unwanted actions on another site, such as money transfers or account changes, by abusing existing authentication like session cookies.
TL;DR: CSRF attacks exploit your logged‑in session to trigger actions you never meant to perform, which is why modern apps use CSRF tokens, SameSite cookies, and extra verification for sensitive operations.
Information gathered from public forums or data available on the internet and portrayed here.