Professional Documents
Culture Documents
The Cross Site Request Forgery attack is one of those types of attacks that are hard
to recognize at first glance. It is most often used in conjunction with other attacks. It
involves forcing a user to perform an unwanted action in a web application. When
combined with other vulnerabilities, CSRF can result in various effects. Sometimes
it can be [exposing sensitive data](https://rohitcoder.medium.com/victims-anti-csrf-
token-could-be-exposed-to-third-party-applications-installed-on-user-s-device-
be8e40d511ba), [deleting, editing and adding data](https://ysamm.com/?p=702) or
https://medium.com/@gpiechnik/understanding-the-cross-site-request-forgery-csrf-attack-b1dc2374f83 1/15
10/4/23, 11:30 AM Understanding the Cross Site Request Forgery (CSRF) attack | by Grzegorz Piechnik | Medium
Token
There are several ways to protect against CSRF attacks. It is worth mentioning that
most of today’s frameworks have built-in protection against CSRF (for example,
.NET).
One of the many and also the most well-known way to protect against CSRF is to
generate random tokens, i.e. using the Synchronizer Token Pattern. These tokens
are generated on the server side once per user session or each time before the next
request. Then, after submitting a form that looks like the following:
The server verifies that the CSRFToken it generated earlier is correct. The attacker is
not able to predict the token that will be generated moments earlier.
https://medium.com/@gpiechnik/understanding-the-cross-site-request-forgery-csrf-attack-b1dc2374f83 2/15
10/4/23, 11:30 AM Understanding the Cross Site Request Forgery (CSRF) attack | by Grzegorz Piechnik | Medium
Open in app
Search Medium
We see in front of us a simple form for transferring funds to other users’ accounts.
We have 500 funds in our account. Now let’s go to the attacker’s site at the link
http://localhost:3001/ .
Let’s take a look at the Network tab in the developer tools.As you can see, several
requests have been sent to the vulnerable page. In addition, when we enter it, we
can see that our balance has changed.
https://medium.com/@gpiechnik/understanding-the-cross-site-request-forgery-csrf-attack-b1dc2374f83 3/15
10/4/23, 11:30 AM Understanding the Cross Site Request Forgery (CSRF) attack | by Grzegorz Piechnik | Medium
How did it happen that the balance of our account decreased by 13? Let’s check the
requests from the attacker more closely.
to=alice&amount=9
https://medium.com/@gpiechnik/understanding-the-cross-site-request-forgery-csrf-attack-b1dc2374f83 4/15
10/4/23, 11:30 AM Understanding the Cross Site Request Forgery (CSRF) attack | by Grzegorz Piechnik | Medium
Between the requests there were two with a response status of 302. One of them is a
GET request, in which we define in the parameters the person to whom we are to
send our funds (alice) and their amount (4). The second request is already of POST
type and in its body we find the same information. This time, however, the number
of funds to be sent has a value of 9. This gives us a total of 13 funds, which is exactly
how much has disappeared from our account.
┌──(figaro㉿kali)-[~/Desktop/3rdtools/Bolt]
└─$ python3 bolt.py -u http://www.ip:port/ -l 2
⚡ BOLT ⚡
(...)
⚡ Phase: Crawling [1/6]
[!] Crawled 12 URL(s) and found 12 form(s).
⚡ Phase: Evaluating [2/6]
[+] Insecure form(s) found
⚡ Phase: Comparing [3/6]
[-] No CSRF protection to test
┌──(figaro㉿kali)-[~/Desktop/3rdtools/XSRFProbe]
└─$ xsrfprobe -u http://www.ip:port/
+--------------------------------------+
| Referer Based Request Validation |
+--------------------------------------+
+-------------------------------------+
| Origin Based Request Validation |
+-------------------------------------+
https://medium.com/@gpiechnik/understanding-the-cross-site-request-forgery-csrf-attack-b1dc2374f83 6/15
10/4/23, 11:30 AM Understanding the Cross Site Request Forgery (CSRF) attack | by Grzegorz Piechnik | Medium
Sources
https://owasp.org/www-community/attacks/csrf
https://github.com/Learn-by-doing/csrf-examples
https://rohitcoder.medium.com/victims-anti-csrf-token-could-be-exposed-to-third-
party-applications-installed-on-user-s-device-be8e40d511ba
https://ysamm.com/?p=702
https://nirajmodi51.medium.com/missing-cors-leads-to-complete-account-takeover-
1ed4b53bf9f2
https://github.com/s0md3v/Bolt
https://github.com/0xInfection/XSRFProbe
Follow
https://medium.com/@gpiechnik/understanding-the-cross-site-request-forgery-csrf-attack-b1dc2374f83 7/15
10/4/23, 11:30 AM Understanding the Cross Site Request Forgery (CSRF) attack | by Grzegorz Piechnik | Medium
Grzegorz Piechnik
Grzegorz Piechnik
https://medium.com/@gpiechnik/understanding-the-cross-site-request-forgery-csrf-attack-b1dc2374f83 8/15
10/4/23, 11:30 AM Understanding the Cross Site Request Forgery (CSRF) attack | by Grzegorz Piechnik | Medium
Grzegorz Piechnik
https://medium.com/@gpiechnik/understanding-the-cross-site-request-forgery-csrf-attack-b1dc2374f83 9/15
10/4/23, 11:30 AM Understanding the Cross Site Request Forgery (CSRF) attack | by Grzegorz Piechnik | Medium
Grzegorz Piechnik
https://medium.com/@gpiechnik/understanding-the-cross-site-request-forgery-csrf-attack-b1dc2374f83 10/15
10/4/23, 11:30 AM Understanding the Cross Site Request Forgery (CSRF) attack | by Grzegorz Piechnik | Medium
Furkan Uyar
https://medium.com/@gpiechnik/understanding-the-cross-site-request-forgery-csrf-attack-b1dc2374f83 11/15
10/4/23, 11:30 AM Understanding the Cross Site Request Forgery (CSRF) attack | by Grzegorz Piechnik | Medium
65 1
Lists
Staff Picks
464 stories · 317 saves
Kidnapshadow
https://medium.com/@gpiechnik/understanding-the-cross-site-request-forgery-csrf-attack-b1dc2374f83 12/15
10/4/23, 11:30 AM Understanding the Cross Site Request Forgery (CSRF) attack | by Grzegorz Piechnik | Medium
10
RoadToOSCP
82 1
https://medium.com/@gpiechnik/understanding-the-cross-site-request-forgery-csrf-attack-b1dc2374f83 13/15
10/4/23, 11:30 AM Understanding the Cross Site Request Forgery (CSRF) attack | by Grzegorz Piechnik | Medium
Alvaro Balada
I was very frustrated due to my constant failures in Bug Bounty, I had high expectations when I
started and I thought that I would have a…
33 5
https://medium.com/@gpiechnik/understanding-the-cross-site-request-forgery-csrf-attack-b1dc2374f83 15/15