A CSRF vulnerability allows an attacker to send a malicious link to a victim, which when clicked upon, performs an unintended action on behalf of the victim's authenticated session.

Attacker cannot see the reponse from the webpage.

Target state-changing requests. Eg:Password change, transferring money.


  • Decodable/Guessable CSRF tokens

  • Test re-use of tokens

  • Test swapping tokens between User A & User B.

  • An attacker can inject the crafted link into an image tag on the attacker's page, which when visited by the victim get's acted upon without clicking.

Last updated