M_03/ A01:2021 — Broken Access Control

Cross-Site Request Forgery

A malicious site quietly triggers an authenticated action because the browser auto-attaches cookies. Try launching the attack with each defense on.

1A · Victim's tab — securebank.com

balance

₹50,000

cookie: session=abc123 (HttpOnly)

logged in as: alice

1B · Attacker tab — evil-blog.example

<form id="f" method="POST" action="https://securebank.com/transfer"> <input name="to" value="attacker"/> <input name="amount" value="10000"/> </form> <script>f.submit()</script>

attempts: 0

2.0 Bank Server

POST /transfer
Host: securebank.com
Origin: evil-blog.example
Cookie: session=abc123

amount=10000&to=attacker

Cookie attachedyes

Origin matchesno — cross-site

CSRF token validn/a

✗ 200 — transfer executed

3.0 Intelligence

What just happened

The browser automatically attaches the bank cookie to ANY request to the bank — including one triggered by JavaScript on an unrelated site. The bank sees a valid session and processes the transfer.

Logical flow

01Victim is already logged into the bank in one tab.
02Victim opens the attacker's page (or it's embedded in an ad).
03Hidden form auto-submits a POST to the bank.
04Browser auto-attaches the session cookie.
05Bank processes the transfer.

Risk

Critical

OWASP

A01

↳ What the developer intended

POST /transfer is only callable by a user who consciously
filled out the bank's own transfer form.

↳ What the runtime actually executes

Forged POST arrives carrying the victim's session cookie.
Server sees a valid session and processes the transfer.

Attack flow

Victim

logged into bank

Attacker Site

hidden auto-form

Browser

auto-attaches cookie

Bank Server

/transfer

Outcome

₹10K to attacker