Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery, also known as session riding or one-click attack, exploits the way browsers automatically include credentials (cookies, HTTP authentication) with every request to a website. When a user is authenticated to a web application and visits a malicious page, that page can craft requests to the target application that the browser will execute with the user's full privileges.

A typical CSRF attack works by embedding a hidden form, image tag, or JavaScript request in a page controlled by the attacker. When the victim visits this page, their browser automatically sends the forged request along with any cookies associated with the target domain. The target server cannot distinguish the forged request from a legitimate one because it carries valid session credentials.

The impact varies based on the targeted functionality. Attackers can change email addresses or passwords, transfer funds, modify account settings, or perform any action the victim is authorised to do. In administrative contexts, CSRF can lead to full application compromise.

Defences against CSRF include using anti-CSRF tokens (synchroniser tokens) that are unique per session and validated on each state-changing request, implementing the SameSite cookie attribute, requiring re-authentication for sensitive actions, and verifying the Origin or Referer headers on incoming requests.