Back to Home

CSRF (Cross-Site Request Forgery)

A08:2021 - No token validation

What is Cross-Site Request Forgery (CSRF)?

CSRF attacks force authenticated users to submit unwanted requests on web applications where they are currently authenticated. These attacks exploit the trust a web application has in the user's browser.

How It Works:

  • User is authenticated on victim site (has valid session cookie)
  • User visits malicious attacker-controlled website
  • Malicious site submits form to victim site on user's behalf
  • Browser automatically includes session cookies
  • Victim site processes the unauthorized request

Before WAF: Vulnerable

Without Cloudflare WAF, state-changing requests execute without validation

Perform Admin Actions (No CSRF Token):

admin
john_doe

Or use cURL (Cross-Origin):

# Delete user without CSRF token
curl -X POST "<your-worker-url>/api/delete-user" \
  -H "Content-Type: application/json" \
  -H "Origin: https://evil.com" \
  -d '{"user_id":2}'

# Toggle settings without validation
curl -X POST "<your-worker-url>/api/settings" \
  -d '{"setting":"debug_mode","value":"true"}'

Vulnerability: No CSRF tokens, no SameSite cookies, no origin validation on POST requests.

User Management (Vulnerable)

Delete users without CSRF protection

admin

admin@security-demo.local

john_doe

john@example.com

jane_smith

jane@example.com

test_user

test@test.com

alice_wonder

alice@company.com

bob_builder

bob@construction.com

charlie_day

charlie@philly.com

diana_prince

diana@themyscira.com

eve_online

eve@tech.com

frank_castle

frank@marvel.com

grace_hopper

grace@navy.mil

henry_ford

henry@ford.com

Settings (Vulnerable)

Toggle settings without CSRF protection

site_name

Current: Security Demo App

allow_registration

Current: true

debug_mode

Current: 1.0

api_rate_limit

Current: 1000

session_timeout

Current: 3600

allowed_origins

Current: *

feature_flags

Current: {"new_ui": true, "beta_api": false}

notification_email

Current: admin@security-demo.local

After WAF: Protected

With Cloudflare WAF, cross-origin requests are detected and blocked

Enable Cloudflare Protection:

  1. Go to Cloudflare Dashboard → Security → WAF
  2. Enable "Cloudflare Managed Ruleset"
  3. Create custom rule: Block requests with Origin header ≠ your domain
  4. Configure Security Headers: X-Frame-Options, CSP

Result: Cross-origin state-changing requests are blocked with 403 Forbidden.

Cloudflare CSRF Protection

  • Origin Validation: Verify request Origin header matches your domain
  • Referer Checking: Block requests from external sites
  • Custom Rules: Require custom headers for sensitive operations