A CSRF vulnerability allows an attacker to send a malicious link to a victim, which when clicked upon, performs an unintended action on behalf of the victim's authenticated session.

Attacker cannot see the reponse from the webpage.

Target state-changing requests. Eg:Password change, transferring money.

Exploitation

• Decodable/Guessable CSRF tokens

• Test re-use of tokens

• Test swapping tokens between User A & User B.

• An attacker can inject the crafted link into an image tag on the attacker's page, which when visited by the victim get's acted upon without clicking.