Skip to main content

Cross-site request forgery


The applications configuration allows an attacker to trick authenticated users into executing actions without their consent.


Impersonate a user request to execute malicious actions in the application.


Use of tokens in forms to verify requests done by legitimate users.


Anonymous attacker from the Internet.

Expected Remediation Time

⌚ 30 minutes.


Default score using CVSS 3.1. It may change depending on the context of the vulnerability.


  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: R
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N


  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X


  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 4.3
    • Temporal: 4.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The application should make use of unique tokens included in the forms, to validate requests and avoid manipulated data

<input type="hidden" name="csrf-token" value="CIwNZNlR4XbisJF39I8yWnWX9wX4WFoz" />
<input type="text" name="name" id="name" placeholder="Name" required/>
<label id="icon" for="name"><i class="fas fa-unlock-alt"></i></label>
<input type="password" name="name" id="name" placeholder="Password" required/>

Other options would be to use frameworks with built-in CSRF protection

Non compliant code

Vulnerable request that could be potentially handled by the application, it defines a set value for a cookie session which would be shared among all the subdomains. It is also using a GET request to change state data

GET /email/change HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Cookie: session=yvthwsztyeQkAPzeQ5gHgTvlyxHfsAfE
[email protected]