Cross-site request forgery (CSRF)¶
Cross-site request forgery (CSRF) is a client-side technique used to attack other users of a web application.
CSRF remains a persistent but declining threat, but it is still a Top 10 Web Risk (OWASP A05:2021) and appears in legacy systems (older PHP/Java apps), APIs with cookie-based auth (especially state-changing actions), and misconfigured SPAs (missing anti-CSRF tokens).
Testing is still worth it when the he app uses session cookies (not just JWT/Bearer tokens), state-changing actions exist (e.g., password changes, payments), and there are no framework defaults (e.g., Django CSRF middleware disabled).
Not dead yet—test CSRF where cookies meet state changes:
- CSRF vulnerability with no defences
- CSRF where token validation depends on request method
- CSRF where token validation depends on token being present
- CSRF where token is not tied to user session
- CSRF where token is tied to non-session cookie
- CSRF where token is duplicated in cookie
- SameSite Lax bypass via method override
- SameSite Strict bypass via client-side redirect
- SameSite Strict bypass via sibling domain
- SameSite Lax bypass via cookie refresh
- CSRF where Referer validation depends on header being present
- CSRF with broken Referer validation
Last update:
2025-05-12 14:16