Cross-site request forgery attack

OWASP 2013-A8 OWASP 2017-A5 OWASP 2021-A1 PCI v3.2-6.5.9 CAPEC-62 CWE-352 HIPAA-164.306(a) ISO27001-A.14.2.5 WASC-09 WSTG-SESS-05

Cross-Site Request Forgery (CSRF) that is also known as XSRF that refers to an attack which leads to the user to execute unwanted actions to the web application where they have access to it. Usually, it will look like a regular link to the web application. But the parameter will be manipulated it will make the HTTP request to the web application as attacker intended. It used to make state-changing requests such as to change the password, make account transactions. The social engineering method is used to influence the user to execute as attackers choosing. It may come as mail or a chat. As of the privilege increases the chance of compromising the application is high. If the victim is a standard user account, it will use for changing mail id password or even transfer fund. In case of the Administrator account; it will compromise the whole application.


Cross-site Request Forgery (CSRF) in GET requests

Given below is an example of how the Cross-site Request Forgery (CSRF) can be used to abuse the user in GET request using the < img> tag.


        <a href="">You won a prize click here to claim</a>


The attacker can generate a custom attribute like the above example and include it in the website that was controlled by the attacker. When the user opens the malicious site, it will use the HTTP GET request to perform the password change while it was logged in. The user won’t notify the password change.

Cross-site Request Forgery in POST requests

If the application only works through the POST request. Well, the attacker can even use the POST request to abuse the user. All of the banking and sensitive information also gone through the POST request. All that the attacker needs to do is make a JavaScript to submit the post request.

        <iframe src="" style="width:0;height:0;border:0;border:none;"></iframe>
        iframe contents
        <body onload="document.getElementById('csrf').submit()">
        <form id="csrf" action="" method="POST">
        <input name="amount" value="10000" />



The impact include:-

  • Attackers might get full access to the application
  • Loss of trust from the user.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Use Anti-CSRF tokens
  • Implement Same-site Cookies

Latest Articles