Introduction
CSRF stands for Cross-Site Request Forgery.
It is an attack where a user is tricked into performing an action on a website without realizing it.
How It Works
When you log into a website, your browser stores a session, usually in a cookie.
If you visit another malicious site while still logged in, that site can send requests on your behalf.
Example:
- you are logged into your bank
- you visit a malicious page
- the page sends a transfer request
The browser includes your session automatically.
Example
<img src="https://bank.com/transfer?amount=1000&to=attacker">If no protection is in place, the request may succeed.
Why This Happens
Websites trust requests that come with valid sessions.
They do not always verify if the request actually came from the user.
How It Is Prevented
The main protection is CSRF tokens.
- server generates a random token
- token is included in forms
- server verifies it before processing
Other protections:
- SameSite cookies
- requiring re-authentication for sensitive actions
Why This Matters
This attack does not need stolen passwords.
It uses the fact that the user is already logged in.
Conclusion
CSRF is about abusing trust between the browser and the website.
Proper validation of requests is what prevents it.