In this chapter, we learned about how to detect and exploit one of the most extender vulnerabilities. CSRF is extended, and I think it is easier than other bugs, as it is not commonly reported as others. As a recap, let's have a look at the following points:

• CSRF bugs could be in GET or POST requests. Using one instead of the other is not a protection. It requires more effort to exploit a POST request.
• Remember that the cookies are vulnerable, so always control of them in the client side.
• To detect vulnerable GET requests, just use the map created by the HTTP Proxy, and look for requests to methods in the application, internal or external.
• Pay special attention to APIs. Currently, all the developers want to construct service-oriented applications, and they are susceptible to CSRF attacks.
• Use the <img> tag to test GET requests.
• Create forms to perform actions on vulnerable POST requests, using hidden fields to send the information required by the application.
• There are a lot of anti-CSRF protections, and most of them are included in the most-used web technologies. Avoid reinventing the wheel.