Enhance your password security.

Get Started
CTA icon
Hardening web applications

Cybersecurity Series: What is cross-site request forgery (CSRF) and how to defend against it

August 31, 20224 min read


In our second article of this cybersecurity series, we will be taking a look to Cross-site request forgery (CSRF). As a password manager, TeamPassword takes pride in maintaining your password data secured from attackers, but passwords managers alone cannot keep you safe. It is necessary to be aware of the main attack vectors that hackers may use to exploit cybersecurity vulnerabilities and be mindful of them while browsing the Internet.

What is cross-site request forgery and how can you defend against it?

How does CRSF work? 

Cross-site request forgery, abbreviated as XSRF or CSRF, is an attack that attempts to have users unknowingly execute actions on a web application for which they are currently authenticated. This attack is similar to the Cross-site scripting attacks (XSS), but it exploits a different type of trust: the trust that a web application has in an authenticated user.

Using this type of attack, the hacker could, for example, change the user's email address or password in the vulnerable web application, transfer funds from the user's bank account, or gain control over the user's account.

For the CRSF to work, four conditions need to happen:

1. Cookie-based session handling.

By definition, a cookie is a piece of data from a website that is stored within a web browser that the website can retrieve at a later time. Every time we log into a web application, a cookie is sent automatically to our browser so that the web application can verify our login. This way, we will be authenticated by this web application and we can take any actions we want within it. 

2. No unpredictable request parameters.

The action request (for example, changing the user's email address) does not contain any parameters whose values will be unknown to the attacker. 

3. The user clicks the malicious URL.

This is usually done by social engineering to trick the victim into clicking the URL that the attacker carefully crafted. Once clicked, the action request will be triggered without the user knowing it.

4. The user must be logged in to the vulnerable web application.

If the user is logged in to a vulnerable web application, the attacker can use the CRSF attack to exploit it, so it is always safer to log out before browsing the Internet.

An Example of a CSRF Attack

For example, let's say the user has logged in to an online banking web application. The user's browser will now have a session cookie that authenticates it in that web application.

The user decides to browse their favorite forum while being logged into that web application. There, they stumble upon an interesting post with a link, and they click it. The link looked like this, but he didn't notice it at the time:

<a href="http://vulnerable-bank.com/transfer_funds?acct=JOSE&amount=3000">Check it out!</a>

Without them knowing, clicking the link has triggered a request action that sends the user's funds to the attacker's bank account.

The request might look like this:

POST /transfer_funds HTTP/1.1
Host: vulnerable-bank.com
Content-Type: application/x-www-form-urlencoded
Cookie: SessionID=d3yght4s6


How to prevent CSRF attacks?

Prevention by End Users

Although CSRF is fundamentally a problem with the web application, there are two main actions that end users can take to protect themselves:

1. Before clicking on a link, always double-check that it leads you to a trustworthy website and that is not triggering any action you might not want to take.

2. Remember to log off the website before visiting another, or clear the browser's cookies at the end of each session.

Prevention by Web Developers

For the software application itself, there are several ways to harden it to prevent this type of attack:

1. Use secure tokens that the attacker would not know to embed in the link. The best way to achieve this is through a CSRF token. A CSRF token is a secure random token that is used to prevent CSRF attacks. An approach that is normally effective is to transmit the token to the client within a hidden field of an HTML form that is submitted using the POST method. The token will then be included as a request parameter when the form is submitted:

<input type="hidden" name="csrf-token" value="{{ csrf_token }}" />

2. Check the referring URL in requests received from end users and only accept requests originating from their own site.


Web applications are complex ecosystems, which makes it important for cybersecurity professionals to harden them against any type of attack. As an end user, it is always good to use reliable applications with certified security, especially if the application handles valuable data for you or your organization. At TeamPassword, we take security seriously, as we are the custodians of important password data. Join the hundreds of companies that trust us, and rest easy knowing that your data is in the right place.

facebook social icon
twitter social icon
linkedin social icon
Enhance your password security

The best software to generate and have your passwords managed correctly.

TeamPassword Screenshot
Recommended Articles
Person using Telegram messaging service


May 14, 20249 min read

How End-to-End Encryption Ensures Secure Communication

Does end-to-end encryption offer better and more secure communication? Find out exactly what end-to-end encryption means, the benefits ...

A man typgin on a laptop while holding his phone, there are different security icons overlayed including a log in screen and a lock and masked password.


May 9, 202411 min read

5 Ways Adaptive Authentication Can Protect Your Business From Cyberattacks

Adaptive authentication can streamline access to your business systems whilst protecting your organization from cyberattacks. Here's how it ...

Two men sitting at a table, one on his phone and the other on a laptop. The words compliance, regulations, law, and standards are overlayed.


April 30, 20247 min read

SOC 2 password security compliance requirements in 2024

Security compliance is an ongoing, active process aimed at protecting an organization’s data, as well as the data ...

The Password Manager for Teams

TeamPassword is the fastest, easiest and most secure way to store and share team logins and passwords.