What is a Cross-Site Request Forgery (CSRF) Attack?

  • By Greg Brown
  • Apr 07, 2023

what is a csrf attack

Successful hackers have the ability to find a specific vulnerability and turn it into millions of dollars if the account is large enough. Good hackers keep it simple by using the browser as a means to attack unwitting users. 

Cross-site request forgery, commonly called CSRF, is an innovative attack method in which hackers use header and form data to exploit the trust a website has in a user’s browser.

Even though attack methods are similar, CSRF differs from XSS or cross-site scripting in which XSS is malicious code injected into otherwise benign and trusted websites. In contrast, CSRF forces users into unwanted actions where they are currently authenticated. Hacked administrator accounts can compromise the entire application.

The first documented use of CSRF came in 2005 when the world’s fastest-spreading worm ever, dubbed Samy, came into focus. The worm was designed to propagate across MySpace. Within the first 24 hours, over one million users clicked on the worm, which displayed the string “but most of all, Samy is my hero.” The worm was the first documented XSS in history that used a CSRF replication method.

Notable CSRF Attacks:

  • 2006 saw Netflix with a challenging cross-site scripting problem that allowed hackers to add DVDs to a person’s account and change login credentials with addresses.
  • In 2007, Gmail found several CSRF vulnerabilities early in its development cycle.
  • Yahoo calendar permitted hackers to use CSRF to add malicious events to be scheduled.

CSRF attacks begin when the user logs into a compromised page and a rogue HTTP request is made from an authenticated browser to the application. If the attacker is adequately authenticated into the page, hackers can make a user’s bank account authorize transfers, change account information, and make charges. 

One significant advantage for hackers is they rely on victims never logging out anymore. Attacks use social media to ensure unwitting victims visit the pages controlled by hackers using links or attachments.

Anatomy of CSRF Attacks

CSRF is a form of confused deputy attack: when a forged request from the browser is sent to a web server that leverages the victim’s authentication. The confused deputy is an escalation technique attacking accounts higher up on the food chain or network, such as administrators, which could result in a complete account takeover. 

During the CSRF attack, the victim’s browser gets tricked into sending multiple HTTP requests to a web application according to hacker instructions. The victim’s HTTP requests include cookies with session headers. Cookies store the user’s session, so they do not have to keep re-authenticating. 


The browser creates these small blocks of HTML to store session and user information. Cookies have been a security risk since two years after they were invented in 1994 by a Netscape engineer. Notable malware attacks have been routed through the innocent little cookie. Several types of cookies make up the landscape: session cookies, persistent, and supercookie.

Cookies cannot install or transport malware because of their small size and how HTML is written. Cookie authentication is vulnerable to CSRF, so security measures such as CSRF Tokens should be used. 


If the application is vulnerable to CSRF, hackers can launch login attempts against banking and other financial accounts. The victim’s website will not be able to distinguish if the request is valid or compromised.

  • Hackers forge a request for a fund transfer or other financial transaction and embed the request into a hyperlink.
  • Working from a purchased or stolen list of victims, hackers text or email compromised links to whoever may be logged into the banking site at the time.
  • The unwitting visitor clicks on the malicious link; the embedded request is sent to a bank’s website without the user’s knowledge.
  • The website validates the request, and funds are transferred.

Who is Susceptible to CSRF?

With such a malicious nature to the cyber attack, it would be logical to assume it can go after any browser; fortunately, this is not the case. Websites that are more simple query and retrieval oriented are not susceptible to CSRF, as they do not perform any modification or updating, like a fund transfer. However, transaction sites such as your bank or e-commerce are heavily targeted by hackers. Most transaction sites rely solely on automatically submitted credentials.

Forums and message boards are highly susceptible to CSRF attacks. For example, hackers build a crafted message with sports teams or designer clothing images containing the embedded CSRF code. Users who click on the images or links in a post may compromise other members viewing the message.

Persistent cookies continue to be a security issue and are highly vulnerable to CSRF attacks. Many modern social media platforms feature an “always logged in” option. The target application could be triggered for an attack, or another blog or site could be targeted with a crafted URL.

Protection For CSRF

Web development is challenging and tedious work, and there must be loads of talent. The Open Worldwide Application Security Project (OWASP) features a web security testing guide. This resource is for web developers and security professionals. 

CSRF attacks are simple to design for hackers with coding knowledge. Successful CSRF attacks are a concern when developing modern applications for stricter regulatory financial websites. 

Cookie authentication is vulnerable to CSRF, so security measures such as CSRF Tokens should be used. The most widely used prevention method for CSRF is the token. Synchronizer patterns are unique, with secret values added to each request. 

When users submit a form or other web form transaction requiring a cookie to be installed, the request must include an anti-CSRF token. Web applications will then verify the token’s existence and its authentication before proceeding. 

It is recommended that users choose a well-tested and reliable anti-CSRF library. Well-designed tokens include quality attributes such as unique session identifiers, automatic expiration, and cryptographic security.

Always Keep Your Data Safe, Especially When In Browsers

Continue to tweak the security settings of your browser, especially the cookie delete area. Get in the habit of regularly cleaning out as many cookies as possible without jeopardizing login information to your banking and charge accounts. It may be a good idea to delete all cookies every time you log out until there is no more suspicion of attack.

About the Author
IDStrong Logo

Related Articles

How To Make Your IG Account Private

There are occasions when it makes more sense to have a private Instagram (IG) account. You might w ... Read More

Windows 10 Privacy Settings You Should Change Now

Privacy is a buzzword we hear a lot these days in the wake of data breaches, Wikileaks, and other ... Read More

How to Delete Your Facebook Account

It might seem absurd to some people who live on Facebook, deleting your Facebook account. But, man ... Read More

How to Change Network From Public to Private On Windows

Privacy has become a major concern for many of us after reading about all the data breaches, hacki ... Read More

Twitter Security and Privacy Settings Made Simple

With data breaches and ransomware intrusions in the news daily, privacy is the word on everyone&rs ... Read More

Latest Articles

Family Dollar & Dollar Tree Bleed Consumer Data Following Cyberattack

Family Dollar & Dollar Tree Bleed Consumer Data Following Cyberattack

In 2015, Family Dollar acquired its biggest competitor, Dollar Tree. Family Dollar is one-half of a consumer's dream; they offer low-priced goods for families in 8,200 locations nationwide.

Weekly Cybersecurity Recap December 1

Weekly Cybersecurity Recap December 1

This week, cybercriminals targeted health lifestyle members, patients, gamblers, and general consumers. Early on, Welltok returned to the news, this time with over 426k member data stolen by assailants; the organizations impacted by the breach were Premier Health and Graphic Packaging International.

Caesars Entertainment Breach Update, Millions of Gambler Records Compromised

Caesars Entertainment Breach Update, Millions of Gambler Records Compromised

Caesars Entertainment (CE) oversees 58 gaming properties across the continental states. Their locations include world destinations, nightlife activities, a comprehensive concierge, and an industry-leading approach to draw millions of gamblers weekly.

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address