Cross-Site Request Forgery (CSRF) is a type of cyberattack where an attacker secretly performs actions on a web page in the name of an authenticated user. This is achieved by tricking the user's browser into sending unintended requests to another website or web application where the user is already logged in. The goal of a CSRF attack is to execute actions within the context of the authenticated user without the user's intent.
Here's a typical process in a CSRF attack:
The attacker creates a fake website or a malicious link that triggers an action on the target website.
The user who is lured into the fake website or clicks on the malicious link is already logged into the target website.
The fake website or the malicious link sends a request to the target website to perform an unwanted action on behalf of the user. This could include changing the password, initiating money transfers, or posting content on social media.
Since the request is received by the target website as an authenticated user, the website executes the request without realizing it's an attack.
CSRF attacks are particularly dangerous when the target website allows confidential or sensitive actions without requiring additional user authentication steps or confirmations. To protect against CSRF attacks, website developers can implement measures like CSRF token checks, where each request is verified to include a valid CSRF token. Users can also protect themselves by logging out when leaving a website and ensuring they don't open untrusted links or websites. Modern web browsers also have built-in safeguards against CSRF attacks.