A Cross-Site Request Forgery (CSRF) (some people pronounce it as sea surf), can be exploited when an attacker takes advantage of the user session to perform state-changing requests such as posting to a social network platform, money transfers, and much more.

This attack will involve some social engineering efforts from the attacker to convince the victim to visit the infected site. Imagine that the victim is an admin of a system, then the attacker can manipulate that system if it doesn't have a CSRF protection. The most popular question in interviews for Application Security Engineer positions is the following: What is the difference between XSRF and XSS? The simpler the answer is, the better. In summary, XSS attacks rely on executing JavaScript in the victim's browser, while XSRF relies on taking advantage of the victim's session. Next time you have an interview, keep that in mind, maybe it will get you your dream job!

First of all, you need to understand an important basic concept. When you first authenticate to a website, a session cookie will be created uniquely for you and this cookie will remain until it expires. Another tricky thing about this concept is that your session cookie will remain even if you browse to another site (for example, the attacker site). Let's take a look at an example of CSRF: