00 — Overview

CSRF — Cross-Site Request Forgery

Trick a logged-in user's browser into making a request to another site without them knowing. The browser sends the session cookie automatically — and the server thinks it's a real request.

Intermediate·45 min·8 tasks

// By the end of this module

→Understand why cross-origin requests are dangerous without CSRF tokens

→Build a CSRF PoC that performs state-changing actions as a victim

→Bypass SameSite=Lax, referer checks, and weak token validation

→Chain CSRF with stored XSS for no-click exploitation

// Prerequisites

Foundation · Beginner

How the Web Works

45 min

→

Foundation · Beginner

How Authentication Works

35 min

→

Authentication · Intermediate

Session Security

40 min

→