What Is CSRF?
Cross-Site Request Forgery (CSRF) tricks a logged-in user's browser into making a request the user never intended — to a site they're already authenticated with. The attacker can't read the response or steal the session; they simply cause an action to happen using the victim's existing authority. This chapter explains the mechanism that makes that possible, because every defence later in the course targets one specific link in this chain.
The Core Idea: A Confused Deputy
CSRF is a classic confused deputy problem. A "deputy" is something that acts on behalf of someone with more authority than the requester. Here the deputy is your browser: it holds your authority for yourbank.com (your session), and it will faithfully attach that authority to any request to that site — even a request initiated by a totally unrelated, malicious page. The browser is "confused" into using your authority for the attacker's intent.
Why the Browser Cooperates: Ambient Authority
The enabling mechanism is ambient authority — authority that's applied automatically, in the background, without the requesting code having to present it explicitly. Cookies are the textbook example:
| The browser rule | The consequence for CSRF |
|---|---|
| Cookies for a domain are attached to every request to that domain… | …even when the request was triggered by a different site |
| This happens automatically, with no action from the page making the request | The attacker's page doesn't need (or get) access to the cookie itself |
| The server sees a request with a valid session cookie | It looks indistinguishable from a genuine one |
That last row is the crux: from the server's perspective, a forged request carrying your valid session cookie looks exactly like a legitimate one. There's nothing in the cookie alone to reveal whether you intended the request or an attacker's page did. That ambiguity is the vulnerability.
A Concrete Attack: The Forged Money Transfer
Suppose yourbank.com performs transfers via a simple form POST:
Now the attacker hosts this on evil.com and lures you to visit it (a link, an ad, an email):
You never clicked "transfer." You may never even see it happen — the attacker doesn't need to read the response, only to trigger the action. That's a complete CSRF attack.
What CSRF Is Not
Precision here prevents confusion later (Chapter 4 expands this):
- Not credential theft — the attacker never obtains your password or cookie; they ride the session you already have.
- Not data theft — classic CSRF is "write-only." The attacker causes an action but generally can't read the response (the same-origin policy blocks that). CSRF is about doing, not reading.
- Not XSS — XSS runs the attacker's script on the victim site; CSRF runs no script on the target at all, it just sends a request to it from elsewhere. Different attack, different defence.
Hands-On Exercises
In your own words, explain the "confused deputy" framing of CSRF: who is the deputy, whose authority does it hold, and how is it confused? Then state precisely why the attacker does not need to steal the session cookie for the attack to work.
📄 View solutionWrite out the five steps of the forged-transfer attack as a sequence, labelling at which step the victim's cookie gets attached and by whom. Then identify which single step would be prevented if the bank required a secret value the attacker couldn't predict.
📄 View solutionList the three preconditions a CSRF attack requires. For each, give a one-line example of a defence (from anywhere you know, or guess) that would remove it. This builds the mental map the rest of the course fills in.
📄 View solutionChapter 1 Quick Reference
- CSRF = tricking a logged-in user's browser into making an unintended request to a site they're authenticated with
- Confused deputy — the browser is the deputy; it applies your authority to a request an attacker initiated
- Ambient authority — cookies auto-attach to every request to their domain, even cross-site ones
- A forged request with your valid cookie looks identical to a genuine one to the server — that ambiguity is the vulnerability
- CSRF attacks intent, not authentication — no password or cookie is stolen
- Classic CSRF is write-only — it causes an action; it generally can't read the response (same-origin policy)
- Three preconditions: cookie-only authorization · forgeable parameters · cross-site credentialed requests — break any one to stop it
- Next chapter: how the browser enables it — cookies, credentialed requests, and which elements send them cross-site