CSRF (Cross-Site Request Forgery)
Cross-Site Request Forgery
A web vulnerability where attackers silently perform actions on behalf of an unsuspecting logged-in user.
In Simple Terms
CSRF is an attack where unintended actions are executed on a website on your behalf while you're logged in. For example, visiting a malicious site while logged into a social network could cause posts to be made or your password changed in the background — without you doing anything. This happens because browsers automatically include authentication data with every request, and attackers exploit that behavior. Vulnerable points like message boards, online stores, or bank transfer pages can lead to serious harm if CSRF protections are missing.
Behind the Name
CSRF stands for Cross-Site Request Forgery — each letter captures what the attack actually does. The name says it all: a request is forged (faked) from a different site, tricking the target into thinking it came from a legitimate user. It is widely recognized as one of the core vulnerabilities that threaten web security.
Take a Closer Look!
CSRF is a web vulnerability and attack technique in which a user is forced to unknowingly send requests they never intended.
The attacker sets up a trap that exploits the victim's logged-in browser session to send fake commands to a target site.
In simple terms, the attack abuses the browser's built-in behavior of automatically sending authentication data with every request.
Many websites use cookies to maintain a logged-in state after the initial login.
When the victim clicks a button or link on the attacker's site, the browser automatically sends the stored cookie along with a command — such as "submit a post" — directly to the target site.
If the attack succeeds, actions like posting content, making purchases, or changing the account password can be carried out without the user's knowledge.
The server cannot distinguish whether an incoming request came from a genuine user action or from a trap, so it processes the request as normal.
The standard defense is to include a "token" — a unique value tied to the user's session — that the server verifies to confirm the request genuinely originated from its own pages.
Requiring password re-entry or a one-time password before sensitive operations is also effective.
From the user's side, avoiding suspicious links and logging out when finished are practical precautions.