This is an attack vector aimed specifically at automatically authenticating requests. The Basic authentication, Cookies, and OAuth are vulnerable to this attack.

It's typically performed by creating a malicious link (button, form, web page, or any) and inducing the user to interact with this link. This way user unintentionally requests an app he is already logged in to. Such a request may change credentials or perform a banking transaction.

• A relevant action. There is an action within the application that the attacker has a reason to induce. This might be a privileged action (such as modifying permissions for other users) or any action on user-specific data (such as changing the user's own password).
• Cookie-based session handling (certificate-based, Basic authentication). Performing the action involves issuing one or more HTTP requests, and the application relies solely on session cookies to identify the user who has made the requests. There is no other mechanism in place for tracking sessions or validating user requests.
• No unpredictable request parameters. The requests that perform the action do not contain any parameters whose values the attacker cannot determine or guess. For example, when causing a user to change their password, the function is not vulnerable if an attacker needs to know the value of the existing password.

The most robust way to defend against CSRF attacks is to include a CSRF token within relevant requests. The token should be:

• Unpredictable with high entropy, as for session tokens in general.
• Tied to the user's session.
• Strictly validated in every case before the relevant action is executed.

• Cross-site request forgery (CSRF)