Wanna Bet That CSRF Is Not As Hard As You Think?

This article was originally published at https://www.stackzero.net/csrf-introduction/

CSRF is one of the most known web application vulnerabilities, but, it could be pretty hard to understand it deeply.
So I’m trying to make this introduction to CSRF as beginner-friendly as possible.
Obviously, I assume that the reader has a minimum of basic IT knowledge.
Curiously, people usually understand XSS or SQL injection better than CSRF, even if they are more tricky in my opinion.
My guess is that they lack the right basics of how the HTTP protocol works.

That’s why before starting with the gist of the article, I would like to briefly introduce the parts of HTTP that are essential to understanding the CSRF attack.

HTTP is a stateless protocol by design but unfortunately, it sufficient with web applications so there was a need for a solution.

We need to keep some data when moving from one page to another (try to imagine a step-by-step online chart or maybe a web application which requires keeping the login state).

In order to solve this problem a feature has been introduced by which the server can store the information about the user’s session in a cookie. Now the…