Csrf Cross Site Request Forgery
Run a structured CSRF review on state-changing flows—tokens, SameSite, JSON CSRF, login CSRF, and OAuth state—before you ship web apps.
Overview
CSRF — Cross-Site Request Forgery is an agent skill most often used in Ship (also Operate) that guides authorized CSRF testing across tokens, SameSite, JSON CSRF, login CSRF, and OAuth state.
Install
npx skills add https://github.com/yaklang/hack-skills --skill csrf-cross-site-request-forgeryWhat is this skill?
- Expert CSRF attack playbook with modern bypass vectors: SameSite gaps, custom-header flaws, and weak token implementatio
- Covers JSON CSRF, multipart CSRF, and chaining with XSS for realistic exploit paths
- Prioritizes high-value state-changing targets (password/email change, admin grants, transfers)
- Routes to companion skills for CORS misconfiguration and OAuth/OIDC state when flows overlap
- Documents 4 required CSRF conditions (session, cookie-only auth, predictable request, cross-origin cookie send)
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
You ship cookie-authenticated flows but only checked for a hidden CSRF field—not whether SameSite, JSON endpoints, or OAuth state can still be abused cross-origin.
Who is it for?
Builders doing authorized security review or bug bounty prep on session-based web apps and OAuth login flows.
Skip if: Pure API-key services with no browser session cookies, or anyone seeking exploit code to run against systems without explicit permission.
When should I use this skill?
Reviewing state-changing web flows, anti-CSRF defenses, SameSite behavior, JSON CSRF, login CSRF, or OAuth state handling.
What do I get? / Deliverables
You leave review with prioritized state-changing targets, documented bypass hypotheses, and pointers to chain CORS or OAuth skills when those controls fail together.
- Prioritized CSRF target list
- Bypass hypotheses (SameSite, JSON, multipart, XSS chain)
- Cross-skill load notes for CORS and OAuth/OIDC when relevant
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Ship/security is the canonical shelf because the playbook targets pre-release hardening and authorization flaws on live session models. Security subphase matches offensive/defensive review of cross-origin request abuse rather than functional unit tests alone.
Where it fits
Map email-change and admin-grant routes and test whether cookie-only sessions accept cross-site posts.
Cross-check PRs that add JSON APIs for missing anti-CSRF headers or broken token validation.
Catch login CSRF on an early OAuth callback before you wire production domains.
Re-run the playbook after tightening SameSite or splitting admin onto a new subdomain.
How it compares
Structured offensive-security playbook for humans and agents—not a passive dependency scanner or WAF configuration generator.
Common Questions / FAQ
Who is csrf-cross-site-request-forgery for?
Indie developers and small teams hardening SaaS, admin panels, and OAuth-backed apps who want agent-guided CSRF review beyond basic form tokens.
When should I use csrf-cross-site-request-forgery?
During Ship security before release, after auth or cookie policy changes, when auditing JSON POST endpoints, or during Operate iterate when incident notes mention suspicious cross-site actions.
Is csrf-cross-site-request-forgery safe to install?
It describes attack techniques for authorized testing only; check the Security Audits panel on this page and restrict agent network/shell use to environments you are allowed to assess.
SKILL.md
READMESKILL.md - Csrf Cross Site Request Forgery
# SKILL: CSRF — Cross-Site Request Forgery — Expert Attack Playbook > **AI LOAD INSTRUCTION**: Expert CSRF techniques. Covers modern bypass vectors (SameSite gaps, custom header flaws, tokenless bypass patterns), JSON CSRF, multipart CSRF, chaining with XSS. Base models often present only basic CSRF without covering SameSite edge cases and common broken token implementations. ## 0. RELATED ROUTING Also load: - [cors cross origin misconfiguration](../cors-cross-origin-misconfiguration/SKILL.md) when JSON endpoints become readable cross-origin - [oauth oidc misconfiguration](../oauth-oidc-misconfiguration/SKILL.md) when login, account linking, or callback binding relies on OAuth state --- ## 1. CORE CONCEPT CSRF exploits a victim's active session to perform state-changing requests **from the attacker's origin**. **Required conditions**: 1. Victim is authenticated (active session cookie) 2. Server identifies session via cookie only (no secondary check) 3. Attacker can predict/construct the valid request 4. Cookie is sent cross-origin (SameSite=None or legacy behavior) --- ## 2. FINDING CSRF TARGETS **High-value state-changing endpoints**: ``` - Password change ← account takeover - Email change ← account takeover - Add admin / change role ← privilege escalation - Bank/payment transfer ← financial impact - OAuth app authorization ← hijack oauth flow - Account deletion - Two-factor auth disable - SSH key / API key addition - Webhook configuration - Profile/contact info update ``` --- ## 3. TOKEN BYPASS TECHNIQUES ### No Token Present Simplest case — form simply lacks CSRF token. Check if POST /change-email has any token. If not → trivially exploitable. ### Token Not Validated (most common finding!) Token exists in request but is never verified server-side: ``` Remove the _csrf_token parameter entirely → does request still succeed? → YES → trivial bypass ``` ### Token Tied to Session but Not to User ``` Step 1: Log in as UserA → obtain valid CSRF token Step 2: Log in as UserB in other browser → obtain UserB CSRF token Step 3: Use UserB's CSRF token in UserA's session (attacker controls UserB) → If server validates token exists but doesn't check if it belongs to the session → bypass ``` ### Token in Cookie Only When server sets CSRF token as cookie and expects it back in a header/form: ``` Set-Cookie: csrf=ATTACKER_CONTROLLED → If cookie can be set by subdomain (cookie tossing): set cookie to known value → Submit form with known token in header + known token in cookie = bypass ``` ### Static or Predictable Token ``` → Same token across all users/sessions → Token = base64(username) or md5(session_id) → reversible → Token = timestamp → predictable ``` ### Double Submit Cookie Pattern (broken if subdomain trusted) ``` If attacker can write cookies for .target.com from subdomain XSS or cookie tossing: → Set csrf_cookie=CONTROLLED on .target.com → Submit request with X-CSRF-Token: CONTROLLED → Server checks header == cookie → match → bypass ``` --- ## 4. SAMESITE BYPASS SCENARIOS **SameSite=Lax** (modern browser default): cookies sent for top-level GET navigation, NOT for cross-site iframe/form POST. **Bypass SameSite=Lax via GET method**: ```html <!-- If server accepts GET for state-changing endpoint: --> <img src="https://target.com/account/delete?confirm=yes"> <script>document.location = 'https://target.com/transfer?to=attacker&amount=1000';</script> ``` **Bypass via subdomain XSS (SameSite Lax/Strict)**: ```javascript // XSS on sub.target.com → same-site origin → SameSite cookies sent! // Use XSS as staging point for CSRF window.location = 'https://target.com/account/modify?evil=true'; ``` **SameSite=None** (legacy or explicit): cookies sent everywhere → classic CSRF ap