Cross-Site Request Forgery (CSRF)

CSRF allows malicious actors to exploit authenticated browser sessions, forcing target users to execute operations (such as emails changes or transfer transfers) without consent.

Target Recon Testing Checklist

1.Check state-changing POST/PUT requests for anti-CSRF token parameters.
2.Test form execution after stripping the CSRF token - does the server still accept it?
3.Check if CSRF tokens are tied to specific sessions or accepted globally.
4.Examine SameSite cookie flags - does the browser send credentials on cross-site requests?

Testing Parameters & Payloads

<form action="https://target.com/api/email" method="POST"><input name="email" value="hacker@evil.com" /></form><script>document.forms[0].submit()</script>

Mitigation & Safe Development Guidelines

Implement unique, cryptographically signed anti-CSRF tokens for all state-changing endpoints.
Set SameSite=Strict or SameSite=Lax attributes on session cookies.
Validate request headers (Origin and Referer) against allowed hosts lists.

0MRADE

xc0mrade@root

Loading0%

Bug Bounty Programs

Vulnerability Disclosure (VDP)

Free Security Audit

UPI & FinSec Security

Healthcare MedSec Shield

Startup Founder Audit

XC0MRADE Secured Badge

Programs Directory

Leaderboard

Skill Passport

Academic College Network

Cyber Insurance Discounts

Blog

Documentation

Trust & Safety

About Us

Contact

Careers

Privacy Policy

Terms of Service

Cross-Site Request Forgery (CSRF)

Target Recon Testing Checklist

Testing Parameters & Payloads

Mitigation & Safe Development Guidelines

Cross-Site Request Forgery (CSRF)

Target Recon Testing Checklist

Testing Parameters & Payloads

Mitigation & Safe Development Guidelines