CSRF (Cross-Site Request Forgery) Demo

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

How CSRF Attacks Work:

  1. User logs into a legitimate website (target)
  2. User visits a malicious website or email
  3. Malicious site makes requests to the target site using user's session
  4. Target site processes the request as if the user intended it

Try This Attack Simulation:

Create a malicious HTML page with this form and host it elsewhere:

<!-- Malicious website form --> <form action="http://dotnet.oxfordbadfriends.com/CSRFDemo" method="post"> <input type="hidden" name="email" value="attacker@evil.com" /> <input type="submit" value="Click for Free Prize!" /> </form> <!-- Or auto-submit with JavaScript --> <script> document.forms[0].submit(); </script>

CSRF Protection Methods:

  • Anti-CSRF Tokens: Include unique tokens in forms
  • SameSite Cookies: Prevent cross-site cookie sending
  • Referer Header Validation: Check request origin
  • Double Submit Cookies: Additional validation layer

Test Steps:

  1. Change your email using the form below
  2. Try making the same request from a different domain/tool
  3. Notice how CSRF tokens prevent unauthorized changes

Change Email

Your current email is: not set

This form is protected by anti-CSRF tokens