Cross Site Request Forgery (CSRF)

2 min readAug 30, 2023

Cross-Site Request Forgery (CSRF) attacks allow an attacker to forge and submit requests as a logged-in user to a web application. CSRF exploits the fact that HTML elements send ambient credentials (like cookies) with requests, even cross-origin.

Like XSS, to launch a CSRF attack the attacker has to convince the victim to either click on or navigate to a link. Unlike XSS, CSRF only allows an attacker to make requests to the victim’s origin and does not give the attacker code execution within that origin. This does not mean CSRF attacks are any less important to defend against. As we’ll see in the examples, CSRF can be as dangerous as XSS.

There are two main parts to execute a Cross-Site Request Forgery (CSRF) attack:

1) The first part is to trick the victim into clicking a link or loading up a page. This is normally done through social engineering. By using social engineering methods attacker will lure the user to click the link.

2)The second part is to send a “forged” or made up request to the victim’s browser. This link will send a legitimate-looking request to the web application. The request will be sent with the values that the attacker wants. Apart from them, this request will include any cookies that the victim has associated with that website.

Let’s understand using an example

So currently I am on a vulnerable website which is: http://testphp.vulnweb.com