Advertisement

CSRF

Cross-Site Request Forgery — tricking a logged-in user's browser into making unwanted requests.

CSRF tricks a victim’s already-authenticated browser into submitting a request the attacker crafted — transferring funds, changing an email — riding the user’s session cookie without ever stealing the credentials. Defenses are anti-CSRF tokens (a secret value the attacker can’t predict) and SameSite cookies (so the session cookie isn’t sent on cross-site requests). Contrast with XSS, which runs attacker script in the page; CSRF abuses the trust the server places in the user’s session.

Advertisement

Related terms

Back to Threats, Vulnerabilities, and Mitigations

Advertisement