Cross-Site Request Forgery (CSRF)

CSRF is an attack that tricks a victim into submitting a malicious request. It inherits the identity and privileges of the victim to perform an undesired function on their behalf.

Attack Simulation

YOU WON $1,000,000!

Click the button below to claim your prize instantly!

Bank Session: Active (Cookie Valid)

Interactive: Switch between tabs. Make sure you are "Logged In" to the bank, then visit the Malicious site and click the button. Check your bank balance afterwards.

The Mechanism

TrustBrowsers automatically include session cookies with every request to a domain, even if the request originated from a different site.
DeceptionThe attacker creates a link or form (like a "Claim Prize" button) that actually points to `bank.com/transfer`.
ExecutionIf the user is logged in, the bank accepts the request because it includes the valid session cookie.

Prevention & Defense

Anti-CSRF TokensA unique, random token generated by the server and checked with every state-changing request. The attacker's site can't guess this token.

SameSite Cookie AttributeSetting cookies to `SameSite=Strict` or `Lax` tells the browser not to send the cookie with cross-site requests.

Re-AuthenticationAsking for the password again before sensitive actions (like changing a password or transferring money).