Cross-Site Request Forgery (CSRF)

In a CSRF attack, a malicious website tricks the victim's browser into making an authenticated request to another site. Since browsers automatically send cookies, the bank thinks the request is legitimate.

Ready Click Next Step to watch a CSRF attack steal Alice's money without her knowledge.
Session State
Cookie -
Session Status -
Last Request Origin -
CSRF Payload
-
Prevention
CSRF tokens
SameSite cookies
Check Origin header
Double-submit cookie
Event Log
const svg = document.getElementById('topology'); const W = 700, H = 420; const NODES = { victim: { x: 120, y: 210, color: '#58a6ff', label: 'Victim Browser', sub: "Alice's Browser" }, bank: { x: 450, y: 120, color: '#3fb950', label: 'Bank Server', sub: 'bank.example.com' }, attacker: { x: 450, y: 310, color: '#ff7b72', label: 'Attacker Site', sub: 'evil.com' }, }; const MALICIOUS_FORM = '
\n' + ' \n' + ' \n' + '
\n' + '