Cross-Site Request Forgery (CSRF)

Submitting data-altering requests blindly from your domain on the client-side. Cookies are automatically sent, often requiring CSRF tokens as protection

PreviousCSS Injection NextWindow Popup Tricks

Last updated 1 month ago

Description

Same-origin & CORS

Origin Check Bypasses

Origin: null

Origin: * with credentials (cache)

Preflight & Content Types

Same-site

Third-party cookie protections

Attack Examples

SameSite=Strict: bypassing using client-side redirect

SameSite=Lax: method override

SameSite=None: Background requests

SameSite is missing: None or abusing the 2-minute window

Multiple top-level requests

Cookie Tossing

Cookie order

Removing cookies

__Host- prefix

Self-XSS exploitation using Path

Other cookie attacks

Protections

CSRF Tokens

Double-Submit Pattern (CSRF Cookies)

Referer/Origin header checks

Description

Same-origin & CORS

Origin Check Bypasses

Origin: null

Origin: * with credentials (cache)

Preflight & Content Types

Same-site

Third-party cookie protections

Attack Examples

SameSite=Strict: bypassing using client-side redirect

SameSite=Lax: method override

SameSite=None: Background requests

SameSite is missing: None or abusing the 2-minute window

Multiple top-level requests

Cookie Tossing

Cookie order

Removing cookies

__Host- prefix

Self-XSS exploitation using Path

Other cookie attacks

Protections

CSRF Tokens

Double-Submit Pattern (CSRF Cookies)

Referer/Origin header checks

`Origin: *` with credentials (cache)

`SameSite=Strict`: bypassing using client-side redirect

`SameSite=Lax`: method override

`SameSite=None`: Background requests

`SameSite` is missing: `None` or abusing the 2-minute window

`__Host-` prefix

`Origin: *` with credentials (cache)

`SameSite=Strict`: bypassing using client-side redirect

`SameSite=Lax`: method override

`SameSite=None`: Background requests

`SameSite` is missing: `None` or abusing the 2-minute window

`__Host-` prefix