Quiz Entry - updated: 2026.07.05
What conditions make CSRF (Cross-Site Request Forgery) possible?
CSRF works when the browser auto-attaches the victim's session cookie to a cross-site request and the server has no extra check (CSRF token, SameSite, Origin) — so an attacker's page can fire an authenticated action on the victim's behalf.
* CSRF — the victim's browser auto-attaches the session cookie to the attacker-triggered request, so the server can't tell it from a legitimate action. *
CSRF tricks a victim's browser into making authenticated requests to a site where they're already logged in.
Required conditions:
- Session/auth sent automatically: Browser includes cookies with every request to that domain
- No SameSite=Strict cookie: Cookie is sent even from cross-origin requests
- No CSRF token validation: Server doesn't verify request originated from its own forms
- Sensitive action via simple request: Action possible with GET or form POST
How attack works:
- Victim is logged into bank.com
- Victim visits attacker's page
- Page contains:
<img src="https://bank.com/transfer?to=attacker&amount=1000"> - Browser sends request WITH victim's bank.com cookies
- Bank processes transfer as if victim initiated it
Prevention:
SameSite=StrictorSameSite=Laxcookies- Require CSRF tokens in forms
- Verify
Origin/Refererheaders - Require re-authentication for sensitive actions
Go deeper:
PortSwigger — Cross-site request forgery (CSRF) — maps the required conditions to attack/defense (tokens, SameSite, Origin) with labs.
Cross-site request forgery (Wikipedia) — the trust-in-the-browser model and the token / SameSite defenses.