Quiz Entry - updated: 2026.07.05
How does a Cross-Site Request Forgery (CSRF) attack work?
A malicious page makes the victim's logged-in browser fire a state-changing request to a trusted site; the browser auto-attaches the session cookie, so the request looks legitimate.
* CSRF — the attacker's hidden form makes the victim's logged-in browser POST to the bank with the session cookie auto-attached, so the forged transfer looks legitimate. *
CSRF attack flow:
- Victim logs into e-bank, gets session cookie
JSESSIONID=A23dc... - Victim visits attacker's page while still logged in
- Attacker's page contains hidden form/request to e-bank:
<form action="https://e-bank.com/doTransfer" method="POST">
<input name="fromAccount" value="VICTIM_ACCOUNT">
<input name="toAccount" value="ATTACKERS_ACCOUNT">
<input name="amount" value="108000">
</form>
- Browser automatically includes victim's session cookie
- E-bank processes transfer as legitimate request
Key insight: Browser sends cookies automatically; server can't distinguish legitimate from forged requests.
Go deeper:
PortSwigger — CSRF — the mechanics; why auto-sent cookies make forged requests look legitimate.
CWE-352: Cross-Site Request Forgery (MITRE) — authoritative weakness definition.