Full Report
Whether Cross-Site Request Forgery (CSRF) works or not is a combination of intentional security features and accidental legacy protections. CSRF is often known as the "session riding attack". When a website makes a request when you visit the page, cookies are always sent. So, what happens when malicious.com requests amazon.com? This post discusses when and why CSRF exploits work in excellent detail. Cookies have been and will continue to be used on requests. So, the goal is to prevent attackers from using them via a CSRF attack. A classic mitigation is double submit protection; this places a large random value in the request body and in a cookie. Since the attacker can't read cookies cross-site, this works well. "Cookie tossing" can be done to remove this cookie if the attacker is on the same site though. So, the usage of __Host- can be used here instead. The SameSite cookie flag can be used to prevent CSRF at a browser level. This has three modes: none, lax and strict. Some browsers default to none because it would break many SSO flows otherwise but others default to lax, breaking many CSRF attacks. Some browsers even default to just two minutes after the cookies were set. This is a very good protection but does have some integration issues. The Origin header is a surprising safeguard as well. Since this cannot be spoofed, if the backend application knows its domain, it can reject based on the Origin very effectively. This creates some edge cases around the header being removed by Referrer-Policy and by Chrome extensions though. CORS is not meant to protect against CSRF, but it sort of does! When a "non-simple request" is made, a pre-flight options request is made. Since this is coming from the wrong origin, the browser will reject the request. This is very limiting for CSRF attacks but there are clever work arounds. Browsers recently introduced Fetch Metadata. On a request, the Set-Fetch-Site header will set it to cross-site, same-site, same-origin or none. Since the browser sets this, it provides excellent CSRF protection by checking this header on the backend. According to some articles, it is now the recommended way to prevent CSRF attacks. Overall, a fantastic article on the state of CSRF protections in 2025. I'll be referencing this article for years to come!
Analysis Summary
# Vulnerability: Cross-Site Request Forgery (CSRF)
## CVE Details
- **CVE ID**: N/A (Class-based vulnerability; specific to application implementation)
- **CVSS Score**: Variable (Typically 4.3 to 8.8 based on the sensitivity of the targeted action)
- **CWE**: [CWE-352: Cross-Site Request Forgery (CSRF)](https://cwe.mitre.org/data/definitions/352.html)
## Affected Systems
- **Products**: Web applications utilizing cookie-based authentication or ambient authority for state-changing operations.
- **Versions**: All versions lacking modern browser-based protections or explicit anti-CSRF tokens.
- **Configurations**:
- Applications using cookies without the `SameSite` attribute.
- Applications failing to validate `Origin`, `Referer`, or `Sec-Fetch-Site` headers.
- Legacy SSO flows that require third-party cookies.
## Vulnerability Description
CSRF is a "confused deputy" attack where an attacker lures a victim to a malicious site (`attacker.example`). This site triggers a cross-origin request (e.g., via `<form>` or `fetch`) to a target application (`example.com`) where the victim is authenticated. Because browsers automatically include cookies associated with the target domain in these requests, the server performs the action (e.g., `send-money`, `change-password`) as if the user intentionally initiated it. The core issue lies in the web platform's legacy behavior of treating cross-site requests as authenticated by default.
## Exploitation
- **Status**: Extensively exploited in the wild; PoC available for standard implementations.
- **Complexity**: Low (Attacker only needs to craft a hidden form or script on a site the victim visits).
- **Attack Vector**: Network (Web-based).
## Impact
- **Confidentiality**: Low (Attacker generally cannot read the response, only trigger the action).
- **Integrity**: **High** (Attacker can perform unauthorized state-changing actions, modify account data, or transfer funds).
- **Availability**: Medium (Potential for account lockout or deletion).
## Remediation
### Patches
As CSRF is a design flaw in how an application handles requests, "patches" involve updating the application code or configuration to adopt modern web standards.
### Workarounds / Mitigations
- **Fetch Metadata (Recommended)**: Verify the `Sec-Fetch-Site` header on the backend. Deny requests where the value is `cross-site` for sensitive endpoints.
- **SameSite Cookie Attribute**: Set cookies to `SameSite=Lax` (default in modern Chrome/Edge) or `SameSite=Strict`.
- **Double-Submit Protection with `__Host-` Prefix**: Use a random token in both a cookie and a request parameter. Use the `__Host-` prefix on the cookie to prevent "cookie tossing" from subdomains or non-secure origins.
- **Origin/Referer Check**: Validate the `Origin` header against the application's known domain. If `Origin` is missing (e.g., due to `Referrer-Policy`), fallback to the `Referer` header.
## Detection
- **Indicators of Compromise**:
- Unexpected state changes in user accounts.
- Audit logs showing sensitive POST/PUT actions with `Referer` headers from external or unknown domains.
- **Detection Methods**:
- **Security Scanners**: Use DAST tools to test for missing CSRF tokens or `SameSite` configurations.
- **Traffic Analysis**: Monitor for `Sec-Fetch-Site: cross-site` headers on state-changing requests.
## References
- MDN Web Docs - CSRF: [https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/CSRF](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/CSRF)
- OWASP CSRF Prevention Cheat Sheet: [https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)
- W3C Fetch Metadata: [https://www.w3.org/TR/fetch-metadata/](https://www.w3.org/TR/fetch-metadata/)