đź’»
OSWE Everything
đź’»
OSWE Everything
  • VULNERABILITIES
    • Type Juggling
    • Cross Site Scripting
      • Hunting for files
    • Insecure Deserialization
      • .NET
    • SQL Injection
      • Blind SQL Injection
      • SQLi debugging
      • Code review
      • Errors and additional information
      • Approaches to leverage different databases
    • XML External Entity (XXE)
      • Types of XML Entities
      • Exploitation
      • Wrappers for errors
      • Post Exploitation
    • OS Command Injection
      • Exploitation
    • Server Side Template Injection
      • Exploitation
    • Authentication Bypass
      • Checklist
  • Unsecure Random Function
    • Exploitation
  • Cross Origin Resource Sharing (CORS)
    • Prerequisites of Exploitation
  • Client Side Request Forgery (CSRF)
    • Prerequisites of Exploitation
  • Exploit Writing
    • Cheatsheet
    • Skeleton Scripts
  • Code review
    • Manual code review
      • Routing
      • Searching for exploits
      • Debugging
    • Decompilation
      • Java
      • .NET
    • Managing the application
      • Identifying application file location
      • Restarting web applications
      • Manipulation of Assembly Attributes for Debugging (.NET)
  • Preparation Machines
    • [HTB] Vault
    • Other HTB scripts
  • ADDITIONAL INFORMATION
    • Sources
  • External Resources
    • WhiteBox Pentest
Powered by GitBook
On this page
  • What is CSRF?
  • Video Explanation

Client Side Request Forgery (CSRF)

PreviousPrerequisites of ExploitationNextPrerequisites of Exploitation

Last updated 1 month ago

What is CSRF?

CSRF (Cross-Site Request Forgery) is an attack that tricks a user into performing unwanted actions on a web application where they’re already authenticated.

How it works?

  1. You’re logged into a site (e.g., your bank).

  2. A malicious website tricks your browser into making a request to that site (e.g., transfer money).

  3. Since you’re already logged in, the browser includes your session cookie automatically.

  4. The request is processed as if it came from you—without your knowledge.

Video Explanation