Skip to main content
Cross-site Request Forgery (CSRF)

What is Cross-site Request Forgery (CSRF)?

Cross-site Request Forgery (CSRF) is a vulnerability where an attacker can cause an end user to execute unintended actions on a web application in which the user is currently authenticated. With a bit of social engineering help (such as sending a link via email or chat), an attacker may force the users of a web application to execute actions of the attacker's choosing.  

In these types of attacks, the attacker is unable to see the responses to the forged attacks. The attacker benefits if they can change the users' credentials or information in a way that allows them to leverage the account.

These types of attacks will be successful if session verification/management is handled through cookies. There is an action that the user can perform that the attacker benefits from, and the attacker knows all the parameters needed to complete the request.  

A successful CSRF exploit can compromise end-user data and operation when it targets a regular user. If the targeted end-user is the administrator account, a CSRF attack can compromise the entire web application leading to full data disclosure and sometimes full system access.

The most effective way to protect against CSRF vulnerabilities is to include a CSRF token within relevant requests, for example, a parameter in a hidden form field. This additional token should contain sufficient entropy and be generated using a cryptographic random number generator. It is not feasible for an attacker to determine or predict the value of any token issued to another user. 

This token should be a nonce (one-time use) value that changes for each request sent. The server should also check this value to ensure the expected value is sent. A method should also be implemented to ensure that the CSRF token is valid for its associated session.

Get a Customized Proposal

Use our Scoping Questionnaire to provide us with the necessary information to put together a proposal for you. Please be as thorough as possible with your responses, as it helps us ensure an accurate and complete proposal.
If you're interested in application penetration testing, you may find this article helpful when formulating your responses: Understanding Application Complexity For Penetration Testing.

If you have any questions, contact us at (952) 836-2770 or schedule a meeting. We will follow up promptly once we receive your responses. We look forward to speaking with you soon.

Having trouble viewing the Scoping Questionnaire? Check to see if an ad-blocker is keeping the page from loading properly.

Dedicated Client Portal

Interact in real-time with your RedTeam security professionals on our user-friendly client portal and see firsthand as the team closes in on your company data.

Certified Security Experts

Our trusted security professionals hold certifications from the leading industry organizations, including OSCP, CASS, CPT, CISSP and more.

Research-Focused Approach

We hold industry-leading certifications and dedicate part of every day to research the latest exploit techniques to ensure our clients remain protected from evolving online attacks.

Free Remediation Testing

Once your team addresses remediation recommendations, RedTeam will schedule your retest at no additional charge.