Cross-Site Request Forgery(CSRF)
An attack that tricks a deceived user into sending unwanted requests to a website.
What is CSRF?
In one sentence: When hacker can make you unconsciously do something on a website (like transfer money, change password) while you have no idea!
Imagine you logged into your bank and went to another site. That site has a malicious code that automatically sends a money transfer request to the hacker's account to the bank. The bank thinks you made the request (because you're logged in) and transfers the money! This is CSRF.
How does it work?
- You log into the bank website (you login)
- Session Cookie gets saved in your browser
- You go to another site (that the hacker controls)
- That site sends a malicious request to the bank
- Your browser automatically attaches the Cookie
- The bank thinks you made the request and executes it!
CSRF Example:
Hacker creates a page with this code:
1<img src="https://bank.com/transfer?to=hacker&amount=1000" style="display:none">
When you (who is logged into the bank) open this page, your browser sends this request to the bank and money gets transferred!
Why is it important for security?
Because CSRF can lead to doing anything on behalf of the user — money transfer, password change, email change, account deletion. The user never understands what happened!