Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) is an attack where a malicious website causes a user's browser to perform an unwanted action on a trusted site where the user is authenticated. Because the browser automatically includes cookies with every request, the target application cannot distinguish between legitimate and forged requests without additional protections.

CSRF attacks can change email addresses, transfer funds, modify account settings, or perform any action the authenticated user is authorized to do. Modern defenses include anti-CSRF tokens (synchronizer tokens or double-submit cookies), SameSite cookie attributes, and requiring re-authentication for sensitive actions.

While modern frameworks often include built-in CSRF protection, misconfigurations, API endpoints that accept cookie-based auth without token validation, and SameSite=None cookies continue to create vulnerabilities.

How APVISO tests for this: APVISO's scanner agent checks for missing or weak CSRF token implementations, analyzes SameSite cookie attributes, and tests whether state-changing operations can be triggered cross-origin. It identifies endpoints where CSRF protections are absent or bypassable.