Last updated: May 1, 2026
Cross-Site Request Forgery (CSRF) tricks a user’s browser into submitting authenticated actions to a trusted site. Once ubiquitous, modern browsers and frameworks have made the baseline defence far stronger. But CSRF still appears — especially in legacy APIs and apps that mishandle authentication state.
The core attack
User is logged into bank.com (browser holds session cookie). User visits malicious.com. Malicious page includes a hidden form or fetch that POSTs to bank.com/transfer?amount=1000&to=attacker. Browser automatically includes bank.com’s cookie. Transfer executes.
<!-- Malicious page -->
<form action="https://bank.com/transfer" method="POST" id="f">
<input name="amount" value="10000">
<input name="to" value="attacker">
</form>
<script>document.getElementById('f').submit();</script>Classic CSRF. User never authorised the action, but it executes with their credentials.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.