LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

How does a Cross-Site Request Forgery (CSRF) attack work?

A malicious page makes the victim's logged-in browser fire a state-changing request to a trusted site; the browser auto-attaches the session cookie, so the request looks legitimate.

CSRF: the attacker's hidden form makes the victim's logged-in browser POST with the session cookie auto-attached.

* CSRF — the attacker's hidden form makes the victim's logged-in browser POST to the bank with the session cookie auto-attached, so the forged transfer looks legitimate. *

CSRF attack flow:

  1. Victim logs into e-bank, gets session cookie JSESSIONID=A23dc...
  2. Victim visits attacker's page while still logged in
  3. Attacker's page contains hidden form/request to e-bank:
<form action="https://e-bank.com/doTransfer" method="POST">
  <input name="fromAccount" value="VICTIM_ACCOUNT">
  <input name="toAccount" value="ATTACKERS_ACCOUNT">
  <input name="amount" value="108000">
</form>
  1. Browser automatically includes victim's session cookie
  2. E-bank processes transfer as legitimate request

Key insight: Browser sends cookies automatically; server can't distinguish legitimate from forged requests.

Go deeper:

From Quiz: SPRG / Input Validation & Output Encoding | Updated: Jul 05, 2026