Cross-Site Request Forgery (CSRF)
Definition
Cross-Site Request Forgery (CSRF or XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.
Why It Matters
CSRF exploits the trust that a site has for a user. A successful attack can cause a victim to change their email address, transfer funds, or perform any other action available on the site, all without their knowledge.
Contextual Example
A user is logged into their banking website. They then visit a malicious website, which contains hidden code that automatically submits a request to the banking site to transfer money. Because the user is already authenticated to the bank, the browser includes their session cookie with the request, and the bank processes the transfer.
Common Misunderstandings
- The primary defense against CSRF is the use of anti-CSRF tokens. The server generates a unique, unpredictable token for each session and requires it to be included in all state-changing requests.
- CSRF is different from XSS. In XSS, the attacker injects a script into the trusted site. In CSRF, the attacker tricks the user's browser into sending a request to the trusted site.