What is Cross-Site Request Forgery (CSRF)?

Definition

CSRF

What is Cross-Site Request Forgery?

An attack that tricks an authenticated user's browser into submitting an unauthorized request to a web application where the user is currently logged in. Because the request originates from the legitimate user's browser, it carries valid session credentials, allowing the attacker to perform state-changing actions — such as fund transfers, email changes, or account deletions — without the victim's knowledge. CSRF is mitigated by anti-forgery tokens and the SameSite cookie attribute.

Related terms

Cross-Site Scripting (XSS) →

A vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.

Broken Authentication →

A class of vulnerabilities that allows attackers to compromise passwords, keys, or session tokens, or exploit implementation flaws to assume other users' identities.

OWASP Top 10 →

A regularly updated consensus list of the ten most critical security risks to web applications, published by the Open Web Application Security Project (OWASP).

Web Application Firewall (WAF) →

A security control that monitors, filters, and blocks HTTP/HTTPS traffic between clients and a web application based on rule sets designed to detect common attack patterns.

Put this into practice

Autonomous OWASP vulnerability scanning →

See how Penetrify's autonomous AI agents find and validate this class of security issue in your application.