Cyfotok Labs logo
CyfotokCyfotok Labs
DashboardPathsLabsLeaderboardPricingFor Colleges
Sign up
LoginSignup
  1. Home
  2. /
  3. Guides
  4. /
  5. What Is CSRF (Cross-Site Request Forgery)?
Cybersecurity BasicsEnglish

What Is CSRF (Cross-Site Request Forgery)?

CSRF tricks a logged-in user's browser into sending unwanted requests to a site where they are authenticated. The browser automatically includes session cookies, so the server treats the forged request as legitimate. Learn CSRF mechanics and defenses through hands-on Cyfotok labs.

Published 1 June 2025Updated 1 June 2026

How CSRF works

Victim logs into bank.com. Attacker's page contains <img src='bank.com/transfer?to=attacker&amount=1000'>. Browser sends request with victim's cookies. Bank processes transfer.

CSRF vs XSS

XSS executes script in victim's browser on the target site. CSRF forges requests without needing script injection on the target. Both abuse trust.

Defenses

CSRF tokens (synchronizer tokens), SameSite cookie attribute, re-authentication for sensitive actions, Origin/Referer header validation.

Lab practice

Cyfotok CSRF lab provides a vulnerable banking-style app. Craft HTML form or fetch request that triggers state-changing action as another user.

Frequently asked questions

Is CSRF still common?
Less common on modern frameworks with built-in CSRF tokens, but still appears in custom APIs and legacy apps.

Related guides

  • CSRF Lab Guide — Hands-On Practice

    CSRF lab guide: forge state-changing requests, build PoC HTML, and exploit missing tokens on Cyfotok.

  • What Is Cross-Site Scripting (XSS)?

    What is XSS (Cross-Site Scripting)? Learn reflected, stored, and DOM-based XSS with hands-on labs on Cyfotok.

  • OWASP Top 10 Explained for Beginners

    OWASP Top 10 explained simply: injection, broken auth, XSS, and more. Practice each risk category on Cyfotok Labs.

  • What Is IDOR (Insecure Direct Object Reference)?

    What is IDOR? Learn how broken access control exposes other users' data and practice IDOR labs on Cyfotok.

Ready to practice?

Try CSRF lab