Application Security

CSRF (Cross-Site Request Forgery)

An attack that forces authenticated users to submit unwanted requests to a web application where they are currently logged in, exploiting the trust that the site has in the user's browser. For example, an attacker could craft a link that transfers funds or changes account settings when clicked by a logged-in user. CSRF works because browsers automatically include session cookies with every request to a domain. Defenses include anti-CSRF tokens (synchronizer tokens), SameSite cookie attributes, checking the Origin/Referer headers, and requiring re-authentication for sensitive actions. CSRF is an OWASP Top 10 vulnerability and is tested in CEH, OSCP, and web application security certifications.

Why It Matters

In practice, CSRF is critical because it allows attackers to perform actions on behalf of authenticated users without their knowledge, potentially changing passwords, transferring funds, or modifying account settings through a single malicious link or embedded image. Organizations that fail to implement anti-CSRF tokens face state-changing operations being triggered by external sites whenever a user has an active session. Modern browsers have significantly mitigated CSRF through the SameSite cookie attribute defaulting to Lax, but legacy applications and custom cookie configurations remain vulnerable. CSRF attacks are particularly dangerous when combined with XSS, which can bypass token-based protections by reading the tokens from the page. On certification exams such as CEH, OSCP, and Security+, expect questions about how CSRF exploits browser cookie behavior, implementing synchronizer token patterns, understanding the protection provided by SameSite cookie attributes, and distinguishing CSRF from XSS in terms of trust exploitation direction.

Practice this topic

Test your knowledge of CSRF (Cross-Site Request Forgery) concepts with exam-style practice questions.

CSSLP GWAPT DevSecOps

Related Application Security terms

OWASP

The Open Web Application Security Project — a nonprofit foundation focused on improving software security through community-led open-source projects, tools, documentation, and standards. OWASP is best known for the OWASP Top 10 — a regularly updated list of the most critical web application security risks (including injection, broken authentication, XSS, and security misconfiguration). Other key projects include the OWASP Testing Guide, ASVS (Application Security Verification Standard), ZAP (Zed Attack Proxy), and the Mobile Security Testing Guide. OWASP resources are referenced across virtually every security certification and are the de facto standard for web application security assessments.

SAST (Static Application Security Testing)

A testing methodology that analyzes source code, bytecode, or binary code for security vulnerabilities without executing the program, often called 'white-box' testing. SAST tools scan codebases for patterns that match known vulnerability types such as SQL injection, XSS, buffer overflows, and hardcoded credentials. They integrate into CI/CD pipelines to catch issues early in the development lifecycle (shift-left security). Popular SAST tools include SonarQube, Checkmarx, Semgrep, and Fortify. SAST complements DAST (runtime testing) and is a fundamental practice in DevSecOps and secure SDLC, tested in CSSLP and DevSecOps certifications.

DAST (Dynamic Application Security Testing)

A testing methodology that analyzes running applications for vulnerabilities by simulating external attacks without access to source code, often called 'black-box' testing. DAST tools interact with the application through its interfaces (HTTP requests, APIs) to find issues like injection flaws, authentication problems, configuration errors, and sensitive data exposure. Unlike SAST, DAST finds runtime-specific issues but cannot pinpoint the exact line of vulnerable code. Popular DAST tools include OWASP ZAP, Burp Suite, Nikto, and Acunetix. DAST is used alongside SAST in a comprehensive application security program and is tested in CEH, OSCP, and DevSecOps certifications.

DevSecOps

An approach that integrates security practices within the DevOps process throughout the entire software development lifecycle, making security a shared responsibility rather than an afterthought. DevSecOps automates security testing at every stage: SAST in code commits, dependency scanning in builds, DAST in staging, infrastructure-as-code scanning, and container image scanning before deployment. Key principles include shift-left security, security as code, automated compliance checks, and continuous monitoring in production. Tools include GitHub Advanced Security, Snyk, HashiCorp Vault, and Falco. DevSecOps is increasingly tested in CISSP, CSSLP, and dedicated DevSecOps foundation certifications.