CSRF

Featured_Image_cross-site-request-forgery-cyber-attack-serangan-diam-diam-yang-menggunakan-identitas-kita
_ September 27, 2025

Getting to Know CSRF (Cyber Attack): The Quiet Attack That Uses Our Identity

Imagine this:
You’re logged into your online banking on your laptop. While waiting for a transaction to complete, you open another tab to read the news. Unbeknownst to you, one of the pages you visit sneaks in hidden code that automatically “orders” your browser to send a request to the bank — for example, to transfer money. The bank trusts the request because it arrives with your valid session cookie.

That’s called a CSRF (Cross-Site Request Forgery) — an cyber attack that exploits a site’s trust in its authenticated user.

How Can This Cyber Attack Happen?
CSRF takes advantage of what’s actually normal behavior on the web, not a browser bug:

  • Cookies are sent automatically: Once you’re logged in, your browser includes login cookies whenever it accesses that domain.
  • Cross-site requests are allowed: Browsers can send requests to other domains even if they can’t read the responses. That means a malicious page can cause your browser to make requests to legitimate sites on your behalf.
  • Endpoints without protection: If the target site doesn’t require extra validation (like an anti-CSRF token), that malicious request may be accepted as legitimate.

The method can be very simple. For instance, a malicious page might inject:

<img src="https://bank.com/transfer?amount=100000&to=attacker">

If you happen to be logged into bank.com, that transfer request could be sent with your cookies attached.

The Dangers of CSRF(Cyber Attack)
The consequences can vary, but all are dangerous:

  • Unauthorized money transfers
  • Changing recovery email or phone number (enabling account takeover)
  • Deleting or corrupting important data
  • Adding backdoors such as API keys or admin accounts

CSRF might not steal your password directly, but it can change account settings enough for attackers to later reset passwords and take over accounts.

How Common Is This Attack?
Some people assume CSRF is an “old” problem that’s gone away. The truth: it hasn’t disappeared.

  • The ENISA Threat Landscape 2023 reports that weaknesses like CSRF still appear widely in large vulnerability datasets.
  • Industry reports such as Edgescan 2024 and Verizon DBIR 2024 emphasize that web application vulnerabilities remain a primary entry point for incidents.
  • Up through 2025, new CVEs continue to be published documenting CSRF issues in plugins, CMSs, and popular software.

In short: CSRF may not make daily headlines, but it’s commonly found in vulnerability scans and can be exploited in practice.

How to Prevent It

For developers

Web developers carry the main responsibility to close CSRF attack vectors:

  1. Use anti-CSRF tokens — unique secret values required on sensitive form submissions or requests.
  2. Set cookies with SameSite — to prevent cookies from being sent on some cross-site requests.
  3. Validate request origin — check Origin or Referer headers before processing critical actions.
  4. Separate API authentication — prefer Authorization: Bearer headers over cookies for public APIs when appropriate.
  5. Avoid side effects on GET — don’t make destructive actions respond to GET requests.
  6. Use framework protections — frameworks like Django, Laravel, Rails, Spring, and Express offer built-in CSRF defenses.

For users

Although developers must fix the root causes, users can take steps to reduce risk:

  • Log out when finished using sensitive services.
  • Avoid clicking suspicious links while logged into important accounts.
  • Separate browsing contexts — use a dedicated browser or profile for banking and another for general browsing.
  • Enable 2FA to make account takeover harder even if settings are changed.
  • Keep your browser updated and use privacy settings that limit cross-site tracking.

CSRF is a stealthy attack that abuses the trust between a user’s browser and a website. It’s not flashy like a defacement, but it can be far more damaging because it happens without the user’s awareness.

As of 2025, CSRF still appears in international security reports. The good news: with proper developer practices (tokens, SameSite cookies, origin checks) and careful user habits, the risk can be greatly reduced.

So next time you’re logged in to something important, remember: the other tabs you open could be a bridge for attackers—if the site you’re using hasn’t been properly protected.

crackingcsrfcyber crimehackerhackingmitigationpenetration testingsystem security
The Journey of Machine Learning: From Simple Experiments to Artificial Intelligence
September 27, 2025
Understanding Testing Driven Development (TDD): Challenges, Common Mistakes, and Its Powerful Benefits
September 26, 2025