Csrf

Comprehensive CSRF Guide A practitioner’s reference for Cross-Site Request Forgery — attack surface, exploitation techniques, SameSite and token bypasses, real-world chains, and detection/prevention. Compiled from 37 research sources. Table of Contents Fundamentals Attack Surface & Preconditions Attack Delivery Techniques Content-Type & JSON CSRF SameSite Cookie Model SameSite Bypass Techniques CSRF Token Bypasses Referer / Origin Check Bypasses Method Override & Verb Tampering Login & Logout CSRF CORS Misconfiguration Chains Clickjacking Overlap Real-World Cases & CVEs Exploitation Chains Tools & Automation Detection & Testing Methodology Prevention & Defense in Depth Payload Quick Reference 1. Fundamentals Cross-Site Request Forgery (CSRF / XSRF / “sea-surf”) is an attack that tricks an authenticated user’s browser into submitting a state-changing request to a target application. The victim’s browser automatically attaches ambient credentials — cookies, HTTP Basic auth, client certificates, Kerberos tickets, IP-based authorization — so the target application cannot distinguish a forged request from a legitimate one. ...