⚡ MiltonMarketing.com Powered by Rocket.net – Managed WordPress Hosting
Approx. read time: 10.3 min.
Post: CSRF Testing Guide: 17 Practical Steps to Find Vulnerabilities
CSRF Testing Guide: 17 Practical Steps to Find Vulnerabilities
🔐 CSRF testing matters because it targets the "silent failure" class of bugs: everything looks normal, logs look normal, and the user never intended the action. CSRF (Cross-Site Request Forgery) abuses the fact that browsers automatically attach session cookies to requests. (OWASP Foundation)
Even today, modern cookie defaults help, but they do not magically eliminate CSRF. Treat cookie settings as "seatbelts," not "invincibility." (MDN Web Docs)
🧠 What CSRF is and why browsers make it possible
CSRF tricks a logged-in user's browser into sending an unintended request to a web app where they're already authenticated. The attacker doesn't need to steal a password to cause damage. (OWASP Foundation)
The key idea: authentication rides on cookies. If the browser sends the cookie, the server may treat the request as "the user did it." That's the crack CSRF slips through.
🎯 What counts as a “sensitive action” in CSRF testing
In CSRF testing, focus on actions that change state or move value. These are the money makers for attackers:
- Changing email, password, phone number, MFA settings
- Adding payout details, changing shipping address
- Making purchases, transfers, refunds
- Creating admin users, changing roles/permissions
- Any "update profile" endpoint that persists data
If it changes something, assume it needs CSRF defenses unless the endpoint is truly stateless and not cookie-authenticated.
🧰 Set up CSRF testing the right way (authorized + repeatable)
Do CSRF testing in environments you're allowed to test: a staging site, a dev sandbox, or an intentionally vulnerable lab. If you're doing bug bounty, stay strictly inside scope and rules.
Good practice setups:
- A dedicated test account (non-production data)
- A local lab like PortSwigger Web Security Academy CSRF labs (safe practice target) (PortSwigger)
- Burp Suite with a clean browser profile (so cookies/sessions are easy to control)
This keeps your results reproducible, and it keeps you out of trouble.
🕵️ Capture the “real” request first (Burp or DevTools)
Step one in CSRF testing is getting the exact request the browser sends.
Use:
- Browser DevTools (Network tab), or
- Burp Suite (Proxy → HTTP history)
What you want to capture:
- Method (POST/PUT/DELETE are common)
- Content-Type (form, JSON, multipart)
- Cookies and auth headers
- Any request headers like Origin / Referer
- The exact parameter names and structure
If you don't have the exact request, you're guessing.
🧾 Spot CSRF defenses in the request (tokens, headers, cookies)
Now you're doing real CSRF testing: you're searching for what prevents cross-site requests.
Look for:
- Anti-CSRF token fields in body (hidden form values)
- CSRF headers (common in JS apps)
- Server validation of
Origin/Referer - Cookie flags like
SameSite=Lax/Strictand secure settings (MDN Web Docs)
Frameworks often implement CSRF defenses by default—until someone disables them "to make the API work." (Django Project)
🧪 Steps to test for CSRF vulnerabilities (keep it legal, keep it clean)
Below is the practical CSRF testing flow (your original structure, tightened and expanded):
✅ 1) Identify a sensitive action
Look for actions that change user data, like:
- Updating an email address
- Changing a password
- Submitting a payment
These should only be possible for the legitimate user.
✅ 2) Capture the request
Use browser developer tools or a proxy like Burp Suite to intercept the request (usually a POST or PUT).
Example request shape:
POST /change-password HTTP/1.1
Host: example.com
Cookie: sessionid=abc123
Content-Type: application/x-www-form-urlencoded
password=newpass123
✅ 3) Check for a CSRF token
Look for anti-CSRF tokens in the form or request headers.
Example in form:
Example in header:
X-CSRF-Token: xyz456
✅ 4) Try the “cross-site” condition (in an authorized test env)
The point of CSRF testing is to see whether the server will accept the state-changing request without a valid anti-CSRF signal.
Instead of handing out "weaponized copy/paste," do this safely:
- Re-send the request without the token (or with an empty/invalid token)
- Re-send the request with a mismatched Origin (where possible)
- Confirm whether the server still performs the action
If the action still succeeds, you likely found a CSRF gap.
✅ 5) Check browser protections (SameSite)
- If cookies are marked
SameSite=StrictorLax, the browser may block some CSRF attempts automatically. (MDN Web Docs) - A classic CSRF risk typically needs cookies that are allowed cross-site, often
SameSite=None; Secureplus missing server-side validation. (Chromium Blog)
🧩 CSRF token quality checks (this is where many apps mess up)
In CSRF testing, don't stop at "token exists." Test whether it's good.
Check if the token is:
- Required (missing token should fail)
- Validated server-side (random string alone means nothing)
- Bound to the session/user (can't reuse across accounts)
- Rotating (per request is stronger than per session) (OWASP Cheat Sheet Series)
- Unpredictable (long enough, high entropy)
Red flags you'll see in the wild:
- Token stays the same after logout/login
- Token works across different users
- Token accepted even when blank
- Token checked only on some endpoints
🌐 Origin checks: Origin, Referer, and modern browser signals
Solid CSRF testing includes checking whether the server verifies where the request came from.
Common patterns:
- Validate
Originand/orRefererfor unsafe methods - Allow only your real front-end origins
- Reject missing or cross-site origins for sensitive actions (OWASP Foundation)
Modern option (increasingly popular):
- Fetch Metadata request headers (
Sec-Fetch-Site, etc.) let servers block cross-origin attack traffic before doing expensive work. (web.dev)
If you see servers ignoring these signals entirely, that's a real hardening opportunity.
🍪 SameSite cookies: helpful, not a full CSRF cure
SameSite is absolutely worth checking during CSRF testing. Chrome's secure-by-default shift treats cookies without a SameSite attribute as Lax in many cases. (Chromium Blog)
However:
- SameSite is defense in depth, not the core defense. (MDN Web Docs)
Laxstill allows cookies on top-level navigations in some flows. (web.dev)- Apps with cross-site login, embedded flows, or legacy integrations often set
SameSite=None; Secure—which re-opens CSRF risk if token/origin checks are weak. (Google for Developers)
So yes, check SameSite, but don't treat it as "done."
🔌 CSRF testing for APIs and SPAs (where teams get overconfident)
A common myth: "It's an API, so no CSRF." Reality: if the API uses cookies and accepts browser credentials, CSRF is back on the menu.
In CSRF testing, check:
- Does the API allow credentials with CORS? (
Access-Control-Allow-Credentials: true) - Is the allowed origin tightly controlled (not
*)? - Does it require CSRF tokens in headers for unsafe methods? (OWASP Cheat Sheet Series)
If an API is purely token-auth (Authorization: Bearer) and not cookie-based, CSRF risk can drop—yet teams still sometimes mix auth styles.
🧱 Common CSRF failure patterns you’ll actually find
These show up constantly in CSRF testing reports:
- CSRF token missing on "secondary" endpoints (AJAX or mobile routes)
- Token present but not validated server-side
- Token validated only for POST, but not PUT/PATCH/DELETE
- Origin checks implemented but allow multiple weak fallbacks
- "Safe" methods (GET) used to change state (don't do this) (Django Project)
- Password/email changes missing re-auth prompts
If you find one, check the whole feature family. Bugs love company.
✅ If CSRF protection is working, what should you see?
When CSRF testing hits a protected endpoint, the app should shut it down fast.
Expected outcomes:
- Request rejected (often HTTP 403)
- Missing/invalid token triggers a clear server-side failure path
- Token is session-specific
- Cross-origin requests don't perform the action
- Logs show a meaningful security event (if logging exists)
If an action succeeds without the anti-CSRF signals, you have a real finding.
🛡️ Fix recommendations that don’t waste anyone’s time
When you write a CSRF finding, include fixes that teams can actually implement.
Strong recommendations:
- Use built-in CSRF protection in the framework (don't roll your own) (MDN Web Docs)
- Enforce tokens on all unsafe methods
- Add Origin/Referer validation for unsafe methods (OWASP Foundation)
- Consider Fetch Metadata checks as an extra layer (web.dev)
- Set cookies with appropriate
SameSite, plusSecure, plusHttpOnlywhere applicable (MDN Web Docs)
The "best" fix is usually: token + origin validation + sane cookie flags.
🧾 A practical CSRF report template (copy this structure)
A good CSRF testing report is short, specific, and reproducible.
Include:
- Affected endpoint(s) and method(s)
- Preconditions (must be logged in, role required, etc.)
- Observed behavior (what changed)
- Expected behavior (reject request without CSRF proof)
- Security impact (account takeover steps, financial change, etc.)
- Recommended remediation (framework setting + verification steps)
- Retest notes (how to confirm fixed)
Teams love reports that help them close tickets quickly.
📌 CSRF testing checklist you can run on every feature
Use this mini list during CSRF testing:
- Is the endpoint state-changing?
- Does it rely on cookies?
- Does it require a CSRF token?
- Is the token validated and session-bound?
- Do Origin/Referer checks exist for unsafe methods?
- Are cookies using sensible SameSite defaults?
- Do API endpoints correctly restrict credentialed CORS?
If you answer "no" to more than one, you probably have a finding.
🧩 WordPress note (because tons of sites live here)
If you're doing CSRF testing on WordPress sites, remember WordPress commonly uses nonces (anti-CSRF tokens) on admin actions and custom forms. Missing nonce checks on privileged actions is a classic plugin/theme mistake.
So, for WP: check whether sensitive actions call nonce verification consistently (especially custom AJAX handlers and REST routes).
✅ Conclusion: CSRF testing is boring… until it saves your site
CSRF testing isn't glamorous. It's also one of the easiest ways to prevent "why did my password/email/bank info change?" incidents.
If you want a second set of eyes on a specific endpoint flow (WordPress, custom plugin, API, whatever), use your normal support channel and include the captured request + the expected behavior. You'll get a faster, cleaner fix that way.
❓ FAQs: CSRF testing questions people actually ask
❓ What is CSRF testing in one sentence?
CSRF testing checks whether a site blocks unauthorized cross-site requests that ride on a user's logged-in session.
❓ Is CSRF only a browser problem?
Mostly, yes—because browsers automatically attach cookies, which is what CSRF abuses. (OWASP Foundation)
❓ Do I still need CSRF tokens if I use SameSite cookies?
Often yes. SameSite helps, but it's not a complete CSRF defense by itself. (MDN Web Docs)
❓ Which endpoints should I prioritize in CSRF testing?
Password/email changes, payouts, permissions, billing, and anything that changes account security settings.
❓ Are GET requests safe from CSRF?
They should be, but only if your app follows the rule that GET is side-effect free. (Django Project)
❓ What’s the most common CSRF mistake developers make?
Forgetting CSRF protection on "secondary" endpoints like AJAX routes or mobile/API variants.
❓ How do I know if a CSRF token is weak?
If it's reusable across sessions/users, not required, not validated, or predictable, it's weak. (OWASP Cheat Sheet Series)
❓ Does CORS stop CSRF?
Not automatically. Credentialed CORS plus cookies can still create CSRF risk if anti-CSRF checks are missing. (OWASP Cheat Sheet Series)
❓ Is CSRF relevant for JSON APIs?
Yes, if the API uses cookies and is called by browsers. (Home)
❓ What headers help with CSRF defense besides tokens?
Origin/Referer checks and Fetch Metadata (Sec-Fetch-*) can reduce cross-origin attack traffic. (web.dev)
❓ What does “SameSite=None; Secure” imply in CSRF testing?
It means the cookie is allowed cross-site over HTTPS, so token/origin checks matter even more. (Chromium Blog)
❓ Why did Chrome’s SameSite changes matter?
Chrome began treating cookies without SameSite as Lax, raising the baseline against some CSRF attempts. (Chromium Blog)
❓ Is Origin checking alone enough?
It helps, but it's best paired with CSRF tokens and proper cookie flags. (OWASP Cheat Sheet Series)
❓ What should the server respond with when CSRF protection works?
Usually 403 (or another denial), and the action should not occur.
❓ What’s the best “defense stack” to recommend?
Framework CSRF tokens + origin validation + sane SameSite/Secure cookie settings. (OWASP Cheat Sheet Series)
Sources & References
Related Videos:
Related Posts:
Canadian Justice System: 17 Essential Parts Explained
LinkedIn Scraping: Methods, Risks, and Defense Playbook
RR0288 Requisition for Assessment Ontario: Practical Guide
Client-Centred Legal Interviewing: 17 Pro-Level Skills for Stronger Cases
Self-Worth and Self-Respect: 15 Strong Ways to Raise Her
Related Posts
About the Author: Bernard Aybout (Virii8)
