loading
Loading content
loading
Also known as CSRF, XSRF
Cross-site request forgery abuses the way browsers attach cookies to every request for a site. If a user is logged in to a bank and then visits an attacker's page, that page can trigger a hidden form post or image request to the bank, and the browser sends the session cookie along automatically. The bank sees a valid session and processes the action, whether that is a password change, a fund transfer, or an email update, without the user ever intending it.
The attack works only against state-changing requests that rely on the session alone for authorization. Defenses break that assumption: anti-CSRF tokens tied to the session, the SameSite cookie attribute that stops cross-origin cookie sending, and checks on the Origin or Referer header. CSRF appears in the OWASP Top Ten history and remains a staple of web application security testing.
CSRF pairs badly with other flaws. A reflected XSS bug can defeat token defenses, and weak server-side checks blur into broken access control when actions run without verifying who asked.
In a Trickest workflow you crawl an application's state-changing endpoints and flag forms and APIs that lack token or SameSite protection, surfacing candidates for manual confirmation across a large target set.
Related terms