Suppose you’ve logged in to a website. After logging in, you remain logged in for the duration of the session (this time period can vary widely depending on the site) without having to re-enter your password. Cybercriminals take advantage of this situation. They know that logged-in users can usually perform more privileged actions than users who are not logged in.
In a nutshell, here’s how CSRF works: While you’re logged into the site, you visit another website created by the hacker. Once there, you perform some action, such as clicking a button. The attacker then sends an HTTP request to the site you’re signed in to and uses your identity to execute a malicious action because your session is still active. All the attacker needs to know is the correct HTTP request, which is relatively easy to figure out.
The server of the website recognizes the HTTP request as correctly structured and sees from your cookies that you (or your browser) are still logged in. The server executes the action and you might not realize that an action has been taken on your behalf.
The CSRF attack is successful because the receiving server doesn’t check where the request is coming from. It doesn’t know whether the HTTP request was generated by the website itself or by an outside source. The attacker takes advantage of a weakness in the browser, which forwards the requests without assessing the consequences.
Three types of CSRF attacks are carried out most frequently. The most popular technique is to plant an exploit URL. This URL is hidden on an external website or in an email. Opening the URL triggers the HTTP request. In principle, you can detect this type of URL if you’re paying close attention. However, social engineering and URL spoofing can be used to disguise the origin of the URL.
There is also potential for cross-site scripting (XSS): Some hackers, instead of setting up their own malicious website, manipulate an existing website through XSS, which is then used to perform criminal actions without the website operator’s knowledge. In this type of attack, JavaScript is typically planted on a website to carry out a CSRF attack.
A cross-site request forgery attack is also possible if attackers manage to place malware on the victim's computer. This allows attackers to directly instruct the browser to send the HTTP request. However, attackers have even more options if they're able to plant viruses or malware on the client.