Cross-Site Request Forgery
Fundamentally, Cross-Site Request Forgery (CSRF) refers to using the session of a user logged to a website to perform API calls without their consent. For instance, an API call to modify their password.
XSS is a common attack technique to perform a CSRF attack.
Many modern browsers have built-in anti-CSRF measures, such as with the Content-Security-Policy
header.
You can find payloads on PayloadsAllTheThings/CSRF. You can test the payload with a HTTP Requests Grabber first during CTFs.
<form id="autosubmit" action="https://<target_form_URL>" method="post">
<input type="text" name="xxx" value="yyy" hidden>
<button type="submit">Submit</button>
</form>
<script>
document.getElementById("autosubmit").submit();
</script>
π During CTFs, it may take between one and five minutes.
Anti-CSRF Token
Some websites have a CSRF token, mostly attached to HTML forms, as a form of protection against CSRF attacks and other automation tools.
It's a generated value that is added to the form, often as a hidden HTML <input>
field. It proves that someone submitting a form effectively visited the page with the form beforehand.
Many tools have built-in switches to handle/by-pass such forms.