All You Need To Know About Cross-Site Request Forgery (CSRF)

Use Netsparker


Cross-Site Request Forgery is a term you’ve properly heard in the context of web security or web hacking, but do you really know what it means? The OWASP definition is as follows:

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.

All You Need To Know About Cross-Site Request Forgery (CSRF)

CSRF is often underrated on the risk spectrum but we’ve actually covered some pretty nasty incidents involving CSRF attacks:

CSRF Vulnerability in Twitter Allows Forced Following
Password Manager Security – LastPass, RoboForm Etc Are Not That Safe
Ubiquiti Wi-Fi Gear Hackable Via 1997 PHP Version

And some tools to help test for CSRF vulnerabilities:

IronWASP – Open Source Web Security Testing Platform
Hcon Security Testing Framework (HconSTF) v0.4 – Fire Base
xssless – An Automated XSS Payload Generator Written In Python

Acunetix has come out with a great article explaining it in more depth and also how you can prevent it, it contains information about:

  • Cross-site Request Forgery in GET requests
  • Cross-site Request Forgery in POST requests
  • Preventing CSRF Vulnerabilities
    • Anti-CSRF tokens
    • Same-site Cookies

For developers, you should pay special attention to the prevention part and make sure whatever you are building is safe.

There are two approaches by which Cross-site Request Forgery (CSRF) may be prevented – synchronizing the Cookie with an anti-CSRF token that has already been provided to the browser, or preventing the browser from sending Cookies to the web application in the first-place.

Check it out in full here: What is Cross-site Request Forgery?

Posted in: Exploits/Vulnerabilities

, ,


Latest Posts:


dcipher - Online Hash Cracking Using Rainbow & Lookup Tables dcipher – Online Hash Cracking Using Rainbow & Lookup Tables
dcipher is a JavaScript-based online hash cracking tool to decipher hashes using online rainbow & lookup table attack services.
HTTP Security Considerations - An Introduction To HTTP Basics HTTP Security Considerations – An Introduction To HTTP Basics
HTTP is ubiquitous now with pretty much everything being powered by an API, a web application or some kind of cloud-based HTTP driven infrastructure. With that HTTP Security becomes paramount and to secure HTTP you have to understand it.
Cangibrina - Admin Dashboard Finder Tool Cangibrina – Admin Dashboard Finder Tool
Cangibrina is a Python-based multi platform admin dashboard finder tool which aims to obtain the location of website dashboards by using brute-force, wordlists etc.
Enumall - Subdomain Discovery Using Recon-ng & AltDNS Enumall – Subdomain Discovery Using Recon-ng & AltDNS
Enumall is a Python-based tool that helps you do subdomain discovery using only one command by combining the abilities of Recon-ng and AltDNS.
RidRelay - SMB Relay Attack For Username Enumeration RidRelay – SMB Relay Attack For Username Enumeration
RidRelay is a Python-based tool to enumerate usernames on a domain where you have no credentials by using a SMB Relay Attack with low privileges.
NetBScanner - NetBIOS Network Scanner NetBScanner – NetBIOS Network Scanner
NetBScanner is a NetBIOS network scanner tool that scans all computers in the IP addresses range you choose, using the NetBIOS protocol.


One Response to All You Need To Know About Cross-Site Request Forgery (CSRF)

  1. KG July 31, 2017 at 8:33 pm #

    That’s not much that I need to know, apperently