Cross-Site Request Forgery

CSRF

An attack that tricks a user’s browser into submitting an authenticated request to a target site without the user’s intent, leveraging existing cookies or credentials.

#appsec#web#cwe#capec

Last updated: 2025-08-23T00:00:00.000Z

Differences across sources

Parallel sources use distinct terminology or emphasize different aspects. Review each citation to understand scope and normative intent.

Evidence

CWE CWE-352: Cross-Site Request Forgery (CSRF) Normative evidence

The web application does not, or cannot, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user.

cwe.mitre.org
CAPEC CAPEC-62: Cross-Site Request Forgery Normative evidence

An adversary leverages existing authentication state to cause a victim’s browser to perform an action that benefits the adversary.

capec.mitre.org
OTHER OWASP Cross-Site Request Forgery (CSRF) Informative evidence

CSRF forces a logged-on victim’s browser to send a forged HTTP request to a vulnerable web application.

owasp.org

Mappings

CWE-352 CAPEC-62 CISSP Domain 8

Examples

Forged Money Transfer

A logged-in banking user visits a malicious page that auto-submits a hidden form to the bank’s /transfer endpoint using the victim’s session cookies.

More context

Mitigations include state-changing requests using anti-CSRF tokens bound to the session, SameSite cookies, double-submit or synchronized token patterns, and requiring re-auth or re-authorization for sensitive actions. Ensure idempotent GETs and use appropriate CORS policies.

Often confused with

See also