# Cross site request forgery (CSRF)

> Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts.
>
> \-- [*Wikipedia*](https://en.wikipedia.org/wiki/Cross-site_request_forgery)

* [PortSwigger - Web Security Academy - Cross-site request forgery (CSRF)](https://portswigger.net/web-security/csrf)

## Conditions

Following three conditions must apply to a CSRF attack to be possible:

* A relevant action (changing email, password, etc.)
* Cookie-based session handling (app relies solely on session cookies to identify the user)
* No upredictable request parameters (CSRF-token, password, etc.)

## Burp Suite

Right click (on request) -> Engagement tools -> Generate CSRF PoC

## Vulnerabilities

### Request method

CSRF token validation depends on request method.\
-> Try a different method, like GET instead of POST

### Token only validated when present

CSRF token is only validated when present.\
-> Try to completely remove the token parameter

### Token not tied to session

CSRF token is not tied to user session.\
-> Just load the form yourself and use that very token for the attack

### Token tied to a non-session cookie

CSRF token is tied to a non-session cookie (needs a way to set a cookie).

E.g. When search term is written via `Set-Cookie`:

```html
<img src="https://website.com/?search=test%0d%0aSet-Cookie%3a+csrf%3dKyaV39N2JCOjQM7HSx2P7CQLJBLjIcny" onerror="document.forms[0].submit()">
```

### Referer only validated when present

Remove referer via:

```html
<meta name="referrer" content="never">
```

### Referer validation "contains"

Referer validation can be circumvented (e.g. when the app only checks if the referer header "contains" the own url).

Fake referer:

```javascript
history.pushState('', '', '/?<expected-referer-url>')
```

To avoid stripping the query string in referer header, use this HTTP header:

```
Referrer-Policy: unsafe-url
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://d4rk1337.gitbook.io/the-pentesters-cheat-sheet/exploitation/web/cross-site-request-forgery.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.