What is CSRF (Cross-Site Request Forgery)? Complete Guide with Examples (2026)

-
What is CSRF (Cross‑Site Request Forgery)? Complete 2026 Guide with Real Banking Attack Examples, Code Walkthroughs & CSRF Protection Best Practices

What is CSRF (Cross‑Site Request Forgery)? Complete 2026 Guide with Real Banking Attack Examples, Code Walkthroughs & CSRF Protection Best Practices

By Amardeep Maroli | April 5, 2026 | Web Security, CSRF, Cybersecurity | 11 min read
Cross‑site request forgery CSRF attack diagram showing attacker, victim, and bank server

Most developers hear “use CSRF tokens” but don’t understand why or how the attack actually works. This post explains CSRF in web security from the attacker’s perspective — exactly how they steal money from your banking app — then shows the specific defenses that stop each technique, including real code examples and modern best practices from OWASP‑style guides.

If you want to also learn about injection‑style attacks, you can read my guide on XSS attacks next.

In this post:
  1. What is CSRF (Cross‑Site Request Forgery) in 2026?
  2. Real banking transfer CSRF attack with code example
  3. CSRF attack examples in real‑world apps
  4. CSRF tokens — how they actually stop CSRF
  5. SameSite cookies — modern browser‑level protection
  6. Express.js CSRF protection walkthrough (Node.js)
  7. CSRF vs XSS — key differences and defenses
  8. Your complete CSRF protection checklist for 2026

What is CSRF (Cross‑Site Request Forgery) in Web Security?

CSRF tricks your logged‑in browser into making requests to sites where you’re authenticated. Your session cookie goes with every request automatically — so the target site thinks you made the request, even though it was triggered from a malicious page.

No password needed: Unlike phishing, attackers don’t steal credentials. They misuse your existing login session to perform actions like money transfers, password changes, or profile edits.

Simple CSRF scenario (shopping app)

A user is logged into an online store and has items in their cart. An attacker tricks them to visit a malicious page that automatically sends a hidden form to /add-to-cart or /checkout with pre‑filled values. Because the browser sends the session cookie, the order is created without the user noticing.

Real Banking CSRF Attack Example (with HTML Code)

You’re logged into bank.com. You visit evil.com (maybe a phishing link). Their page contains a hidden form that auto‑submits a money transfer.

<!-- evil.com/steal.html -->
<form action="https://bank.com/transfer" method="POST" id="evil">
  <input type="hidden" name="amount" value="5000">
  <input type="hidden" name="to" value="attacker_account">
</form>
<script>document.getElementById('evil').submit();</script>

Your browser sends the transfer request with your session cookie. If the bank has no CSRF protection, the $5000 transfer is processed instantly. This is the classic CSRF banking attack pattern seen in real vulnerabilities like ING Direct and similar platforms.

3 Ways Attackers Trigger CSRF in Real Apps

  • Auto‑submit form: Hidden form + JavaScript submit() (as shown above). Easy to embed in social‑media or phishing pages.
  • Image trick: <img src="https://bank.com/transfer?amount=5000&to=attacker"> — forces a GET request when the image is loaded. Works if the app allows state‑changing actions over GET.
  • Link click: “Click for free gift!” or “Check your prize” styled button that submits a form behind the scenes, often using button disguised as a simple link.

These tricks rely on the browser’s automatic behavior: sending cookies and credentials for any request to the target domain, even if it was triggered from a third‑party site.

How CSRF Tokens Actually Stop the Attack

CSRF tokens (also called “synchronizer tokens”) are the primary defense against CSRF. Every form gets a unique, unpredictable token that only the server and your legitimate page know.

POST /transfer
csrf_token=abc123XYZ&amount=100&to=friend

Token pattern in the HTML form

<form action="/transfer" method="POST">
  <input type="hidden" name="csrf_token" value="abc123XYZ">
  <input type="text" name="amount" value="100">
  <input type="text" name="to" value="friend">
  <button type="submit">Transfer</button>
</form>
Server checks: Does submitted csrf_token match the session token? No match = reject request. This pattern is recommended by OWASP and modern web security guides.

SameSite Cookies – Browser‑Level Protection Against CSRF

Servers can tell browsers not to send cookies on cross‑site requests, weakening CSRF attacks.

Set-Cookie: session=abc123; SameSite=Strict; Secure

SameSite=Strict means cookies are not sent on cross‑site requests at all. SameSite=Lax relaxes this but still blocks many dangerous scenarios. Combined with HTTPS‑only cookies, this dramatically reduces the CSRF surface.

Example in Node.js / Express

const csrf = require('csurf');
const express = require('express');
const cookieParser = require('cookie-parser');

const app = express();
app.use(cookieParser());

const csrfProtection = csrf({ cookie: true });

app.get('/form', csrfProtection, (req, res) => {
  res.send(`
    <form action="/process" method="POST">
      <input type="hidden" name="_csrf" value="${req.csrfToken()}">
      <button type="submit">Submit</button>
    </form>
  `);
});

app.post('/process', csrfProtection, (req, res) => {
  res.send('Data processed safely');
});

app.listen(3000);

CSRF vs XSS — Key Differences

  • CSRF: Tricks user into sending a request
  • XSS: Executes malicious script in browser
  • CSRF needs authentication, XSS does not
  • CSRF uses victim session, XSS steals session

CSRF Protection Checklist (2026)

  • Use CSRF tokens on all sensitive forms
  • Enable SameSite cookies (Strict or Lax)
  • Use HTTPS everywhere
  • Avoid GET requests for sensitive actions
  • Implement proper session management
  • Use frameworks with built-in CSRF protection

FAQs

What is CSRF in simple terms?
CSRF is an attack where a hacker tricks your browser into performing actions on a website where you are already logged in.
How is CSRF different from XSS?
CSRF forces actions using your session, while XSS injects scripts into a website.
How do developers prevent CSRF?
By using CSRF tokens, SameSite cookies, and proper validation.

About the Author

Amardeep Maroli

MCA student and cybersecurity enthusiast from Kerala, India. I focus on API security, ethical hacking, and building secure web applications using Node.js, React, and Python. I actively work on real-world vulnerability testing, security automation, and hands-on learning in cybersecurity.

I share practical guides, real attack scenarios, and beginner-to-advanced cybersecurity knowledge to help others learn security the right way — through understanding, not just tools.

📖 Read More Posts 💻 GitHub 📢 Telegram ✉️ Contact
Tags: CSRF, web security, cross-site request forgery, OWASP, Node.js, Express security

Found this useful? Share it with other developers.
Privacy Policy Disclaimer Terms

Comments

Post a Comment

Popular posts from this blog

SQL Injection Explained: 5 Types, Real Examples & How to Prevent It (2026 Guide)

-
Image
What Is SQL Injection? Complete 2026 Guide — How It Works, Real Attack Examples, Types & Prevention With Code What Is SQL Injection? Complete 2026 Guide — How It Works, Real Attack Examples, Every Type & Prevention Code By Amardeep Maroli | April 8, 2026 | SQL Injection, Web Security, Developer Guide | 16 min read Home About Contact SQL injection has been the most exploited web vulnerability for over two decades — and it is still responsible for some of the largest data breaches every year. The 2021 LinkedIn leak of 700 million records, the 2020 Marriott breach, and thousands of smaller incidents every month all trace back to the same root cause: user input being trusted and executed as part of a database query. It sits at position A03 in the OWASP Top 10 — the globally recognised list of the most critical web application security risks. Yet despite being well-documented for 25 years, it kee...
Read more

Penetration Testing Guide: Real-World Methodology (Recon to Exploitation) [2026]

-
Image
What is Penetration Testing? Complete Beginner Guide 2026 — How It Works, Types, Tools & Career What is Penetration Testing? Complete Beginner Guide 2026 — How It Works, All Types, Real Tools & Career Roadmap By Amardeep Maroli  |  April 10, 2026  |  Penetration Testing, Ethical Hacking, Cybersecurity  |  16 min read Home About Contact At 2:17 AM on a Tuesday, a penetration tester was three days into an engagement with a mid-sized fintech company that processed billions in annual transactions. The company had firewalls, endpoint detection, multi-factor authentication, and quarterly vulnerability scans. Their security team believed they had things locked down. The tester had just chained three seemingly minor findings together: an API endpoint returning verbose error messages, an internal Jenkins server with default credentials accessible via a misconfigured VPN split-tu...
Read more

Phishing Scams in 2026: How They Work & How to Avoid Them

-
Image
What is Phishing? Types, Real Examples & How to Spot Every Attack (2026 Guide) What is Phishing? Every Type Explained with Real Examples & How to Spot Every Attack (Complete 2026 Guide) By Amardeep Maroli  |  April 9, 2026  |  Phishing, Social Engineering, Cybersecurity  |  15 min read Home About Contact In February 2024, a finance employee at a multinational company in Hong Kong received a video call from his CFO. The CFO asked him to authorise a series of urgent transfers totalling $25 million. The employee was nervous about the large amount but recognised the CFO's face, voice, and mannerisms on the call. Several other colleagues were also on the call — the employee could see their faces and hear their voices too. Every person on that call except the employee was a deepfake generated by AI. The $25 million was transferred and never recovered. That incident ill...
Read more