Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery, often pronounced [sea surf], happens when a website makes a request to a service from a browser of a user that is authenticated within that service. If the service does not make counter measures (CSRF token, CORS), it is very well possible that the website will be seen as authenticated and can perform a multitude of potentially dangerous actions.

Imagine a person logging to their bank account, transferring money, then not logging out, going to their e-mail, clicking link to a malicious website which performs a request to transfer some money to the bank, automatically sending along all cookies for the bank domain the browser contains.

Tips: Use Burp to check all the resources that are being called when you visit a target site / application. Forms tend to be protected by frameworks but APIs are a different story!

Examples: Shopify missing CSRF protection or Baddoo returning their CSRF token.