June 24, 2026
CSRF Explained Like Youβre Five
Hey friends! Nitin here π
By Nitin yadav
2 min read
CSRF sounds scary but the idea is genuinely simple once you get it. Let me explain it like you're five (no offense π).
The Core Idea
CSRF = Cross-Site Request Forgery. It means tricking YOUR browser into doing something on a website you're logged into β without you meaning to.
Here's the kid version: imagine your browser is a loyal dog that does whatever its owner (a website) says. CSRF is a stranger throwing a ball and the dog fetching it β because the dog can't tell the command came from the wrong person. πΆ
A Real Example
Say your bank has a "transfer money" feature. When you click it, your browser sends a request β and because you're logged in, your browser automatically attaches your login cookies. The bank sees the cookies and goes "yep, that's Nitin, do the transfer."
Now an attacker makes a sneaky webpage with a hidden form that fires that SAME transfer request. You visit their page (thinking it's a funny cat video). Your browser sends the transfer request WITH your cookies attached. The bank does it. Money gone. π³
The attacker never saw your password. They just borrowed your logged-in browser.
What Makes A Site Vulnerable
A site is vulnerable to CSRF when it relies ONLY on cookies to verify a request, and has no extra protection. The fix is usually a "CSRF token" β a secret value that only the real site knows. No token check = CSRF possible.
How To Hunt It
- Find a state-changing action (change email, change password, transfer, delete)
- Capture the request in Burp
- Look: is there a CSRF token? A random secret value in the request?
- If NO token β try removing/changing it and replaying. Does the action still work?
- If it works without proper verification β likely CSRF β
- Build a simple proof-of-concept HTML page that fires the request to prove it
The Juiciest Target
Go for actions that matter: changing the account email or password. Why? Because a CSRF that changes someone's email can lead to a FULL account takeover (change email β reset password β own the account). That escalation turns a "medium" into a "critical."
My Honest Tip
Don't just check IF there's a token β check if it's actually VALIDATED. I've seen sites with CSRF tokens thatβ¦ don't get checked at all. Remove the token, send the request, and it still works. The defense was decorative. Always test whether the protection is real, not just present.
Next post: file upload bugs β turning a harmless image upload into something much more powerful.
Stay sharp! πΆ