Cross-Site Request Forgery

Cross-Site Request Forgery (CSRF) is an attack that allows an attacker to make requests to various sites under victim user. If the victim comes to a site containing a malicious code, a request is sent from her username to another service (social network) performing a destructive action (deleting the user's account).


  1. Website provides users the ability to transferring money by the account number
    <form method="POST" action="/transferMoney">
       <input type="number" name="accountNumber"/>
       <input type="number" name="amount"/>
       <input type="submit" value="Transfer money"/>
  2. The money transfer form is processed only if the user is authorized on the website
  3. Website is vulnerable to Cross-Site Request Forgery attack


  1. Determines that the website is vulnerable to the CSRF attack
  2. Finds XSS on the popular website (or is the owner of the site) and embeds in it a code, that sends the form from the website
    <form method="POST" action="" id="csrf-form">
       <input type="number" name="accountNumber" value="1337"/>
       <input type="number" name="amount" value="200"/>
       <input type="submit" value="Transfer money">


  1. Authorized on the site
  2. Gets on another resource, possibly through phishing
  3. From is performed a request for sending the form of the site
  4. As a result, money was transferred from user to the attacker's account


Required condition is the user is authorized at Therefore, the browser has a Cookie for the site The code can verify the identity of the user, but can not verify that the form was sent by the user. Exploit from will execute POST request with Cookie from website

Cookie: (bank authentication cookie)
Content-Type: application/x-www-form-urlencoded
Content-Length: 29


Same-origin policy does not block the form sending from another source. Website will process the request, as if it came from the user, and make a money transfer.

  How to prevent CSRF →