Loading vulnerability page...

Interactive attack atlas

Choose any tab from the left. This walkthrough shows how a trusted browser session can be reused without proving that the user actually intended the action.

CSRF Browser trust flow Cookie-based session demo
How to do it
Session trust

CSRF Browser Walkthrough

Watch the browser log into a trusted site, store the session cookie, then reuse that cookie when a different tab triggers a hidden request.

Story animation
Press play to follow the browser, tab switch, and automatic cookie attachment.
Trusted Site Hacker Site
https://trusted-account.example

Trusted Account Portal

The user signs in normally, and the browser receives a session cookie.

The tab looks quiet now. The user is not actively doing anything here.
User icon
Username
Password icon
Password
Server icon Question mark icon Checkmark icon
Cookie icon Saved session Cookie icon Incoming cookie
Hacker icon

Malicious page in another tab

It looks unrelated, but it tries to send a hidden request back to the trusted site.

Claim Reward
Cookie icon Session Cookie
Forged request
Cookie icon Session cookie
Bank icon Bank
Server icon Trusted server
Hacker icon Attacker
Money icon Money icon Money icon

Processed as if you made it

The action now shows the money being pulled from the bank, processed by the trusted server, and sent to the attacker as if the user had requested it.

Press play to see how a normal sign-in can become a trusted session that gets reused later.

Quick understanding

1. The user logs into a trusted site in the first browser tab.
2. The browser stores a session cookie after the sign-in succeeds.
3. The user later views a malicious page in another tab.
4. That page triggers a hidden request to the trusted site.
5. The browser automatically attaches the saved cookie to that request.
6. The target site trusts the cookie and processes the action as if the user meant it.

Real tips to avoid this

Use anti-CSRF tokens for state-changing actions so the server can tell whether the request came from the intended form or workflow.
Understanding

CSRF happens when an application trusts the browser’s existing session but does not verify that the user truly intended the sensitive action.

Why it matters

If sensitive endpoints rely only on the presence of a session cookie, the browser may send that cookie automatically during a forged cross-site request.

Defense mindset

Use anti-CSRF tokens, SameSite cookies, re-authentication for important actions, and explicit confirmation flows.

Common signs

Unexpected profile changes, unexplained transfers or settings updates, and important actions that succeed without extra confirmation can be signs of weak request validation.

CookiesIntent checksSameSiteTokens