What is Cross-Site Request Forgery (CSRF)? - apviso [APVISO](/)Product

Resources

Developers

Company

[Pricing](/#pricing)[Partners](/partners)[Enterprise](/enterprise)

[Login](/login)[Get started](/register)

[Login](/login)[Start pentest](/register)

[Home](/)[Glossary](/glossary)Cross-Site Request Forgery (CSRF)[Back to Glossary](/glossary)Cross-Site Request Forgery (CSRF)
=================================

An attack that tricks authenticated users into submitting unintended requests to a web application they are logged into.

vulnerabilitybrowser securityauthentication

Cross-Site Request Forgery (CSRF) is an attack where a malicious website causes a user's browser to perform an unwanted action on a trusted site where the user is authenticated. Because the browser automatically includes cookies with every request, the target application cannot distinguish between legitimate and forged requests without additional protections.

CSRF attacks can change email addresses, transfer funds, modify account settings, or perform any action the authenticated user is authorized to do. Modern defenses include anti-CSRF tokens (synchronizer tokens or double-submit cookies), SameSite cookie attributes, and requiring re-authentication for sensitive actions.

While modern frameworks often include built-in CSRF protection, misconfigurations, API endpoints that accept cookie-based auth without token validation, and SameSite=None cookies continue to create vulnerabilities.

How APVISO tests for this: APVISO's pentester agent checks for missing or weak CSRF token implementations, analyzes SameSite cookie attributes, and tests whether state-changing operations can be triggered cross-origin. It identifies endpoints where CSRF protections are absent or bypassable.

Related Terms
-------------

[Cross-Site Scripting (XSS)](/glossary/cross-site-scripting)[Broken Access Control](/glossary/broken-access-control)[OWASP Top 10](/glossary/owasp-top-10)

Test your applications for cross-site request forgery (csrf) vulnerabilities
----------------------------------------------------------------------------

APVISO's AI agents automatically test for this and many more vulnerability categories.

[Contact sales](/contact)

[APVISO](/)Autonomous AI-powered penetration testing for modern web applications.

Subscribe

[](https://github.com/apviso)[](https://x.com/Apviso_com)[](https://www.linkedin.com/company/apviso/)

[![Featured on Good AI Tools](https://goodaitools.com/assets/images/badge.png)](https://goodaitools.com/ai/apviso)

Product

- [Features](/#features)
- [Sentinel](/sentinel)
- [Pricing](/pricing)
- [Integrations](/integrations)
- [Benchmarks](/#compare)
- [Affiliate Program](/affiliate)
- [Partners](/partners)
- [Enterprise](/enterprise)

Resources

- [Blog](/blog)
- [Use Cases](/use-cases)
- [Glossary](/glossary)
- [Comparisons](/comparisons)
- [Alternatives](/alternatives)
- [Compliance](/compliance)
- [Vulnerabilities](/vulnerabilities)
- [Industries](/industries)
- [OWASP APTS](/trust/apts)

Developers

- [Knowledge Base](/docs)
- [API Reference](/docs/api)
- [MCP Server](/docs/mcp)

Company

- [About](/about)
- [Contact](/contact)
- [Status](https://status.apviso.com)
- [Privacy Policy](/legal/privacy)
- [Terms of Service](/legal/terms)

© 2026 APVISO. All rights reserved.
