EncryptCodecencryptcodec
Simulations/CSRF Attack

CSRF Attack

Intermediate

An evil website silently forges requests using your browser's session cookies. Configure SameSite cookie policy and CSRF token protection — then watch the exact HTTP traffic as the browser decides whether to send your credentials.

Progress:
1
Trigger a CSRF Attack
2
Deploy a CSRF Token
🛡 Protection
SameSite Cookie
Cookies sent on all cross-site requests — no protection.
âš¡ Attack
// evil.example.com/transfer.html
evil.example.com/transfer.html
<form action="https://bank.example.com/transfer"
method="POST" id="f">
<input name="amount" value="1000">
<input name="to" value="attacker">
</form>
<script>document.getElementById('f').submit()</script>
Idle
Request log — POST /transfer
Waiting for attack…

Challenges

1
Trigger a CSRF Attack
Set SameSite to None and CSRF Token off, then click 'Victim Visits Evil Site'. Watch the forged request succeed.
â–¼ hints
2
Deploy a CSRF Token
Enable CSRF Token protection and show the attack fails.
â–¼ hints
How to defend against CSRF
SameSite cookies, CSRF tokens, and custom headers
â–¼

Frequently Asked Questions