Cross-Site Request Forgery (CSRF) Vulnerability Demo

Date	Description	Amount
2025-03-20	Salary	$3,000.00
2025-03-15	Grocery Store	$150.00
2025-03-10	Gas Station	$45.00

Date	Description	Amount
2025-03-20	Salary	$3,000.00
2025-03-15	Grocery Store	$150.00
2025-03-10	Gas Station	$45.00

Anatomy of a CSRF Attack

Prerequisites for a Successful CSRF Attack:

The victim is authenticated to the target site (has an active session)
No unpredictable request parameters are required (no CSRF tokens)
The attacker can determine all required request values needed to perform the action

Common CSRF Attack Vectors:

HTML Forms: Hidden forms that auto-submit using JavaScript
IMG Tags: <img src="https://bank.com/transfer?to=attacker&amount=1000">
XHR/Fetch Requests: JavaScript that makes cross-site requests
Iframes: Loading the target site in an iframe and manipulating it

Impact of CSRF Attacks:

Financial loss through unauthorized fund transfers
Account hijacking through changing email/password
Data theft or modification
Performing actions the user did not intend to do

CSRF Protection Methods

1. CSRF Tokens

The most common defense is to include a unique, unpredictable token with each request that requires a state change:

// Generate a token
$csrf_token = bin2hex(random_bytes(32));
$_SESSION['csrf_token'] = $csrf_token;

// Include in HTML form
echo '<input type="hidden" name="csrf_token" value="' . $csrf_token . '">';

// Verify on submission
if ($_POST['csrf_token'] !== $_SESSION['csrf_token']) {
    // Invalid token, reject the request
}

2. SameSite Cookie Attribute

Modern browsers support the SameSite attribute which controls when cookies are sent with cross-site requests:

// Strict: Cookies are only sent for same-site requests
setcookie('session', $value, ['samesite' => 'Strict']);

// Lax: Cookies are sent for same-site requests and top-level navigations
setcookie('session', $value, ['samesite' => 'Lax']);  // Default in modern browsers

3. Custom Request Headers

Require a custom header that browsers won't allow in cross-site requests due to CORS restrictions:

// JavaScript adds a custom header
const xhr = new XMLHttpRequest();
xhr.open('POST', '/api/transfer');
xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest');

// Server verifies the header exists
if (!isset($_SERVER['HTTP_X_REQUESTED_WITH']) || 
    $_SERVER['HTTP_X_REQUESTED_WITH'] !== 'XMLHttpRequest') {
    // Reject the request
}

4. Double-Submit Cookie Pattern

Set a random cookie value and require the same value as a request parameter:

// Set a cookie with a random value
setcookie('csrf', $randomValue);

// Include the same value in the form
echo '<input type="hidden" name="csrf" value="' . $randomValue . '">';

// Verify values match
if ($_COOKIE['csrf'] !== $_POST['csrf']) {
    // Reject the request
}

5. Re-authentication for Sensitive Actions

Require the user to confirm their identity before critical actions:

// Before processing a sensitive action
if (!isset($_POST['password'])) {
    // Show confirmation form
} else {
    // Verify password matches the user's password
    if (password_verify($_POST['password'], $user['password_hash'])) {
        // Process the action
    }
}

Cross-Site Request Forgery (CSRF) Vulnerability

CSRF Demonstration

Account Summary

Transfer Money

Transaction History

Win a Free iPhone!

Congratulations! You've Been Selected to Win a Free iPhone 15 Pro!

How this attack works: