Insecure Design (CSRF)

Overview

See how missing anti-CSRF protections and unsafe designs allow attackers to trigger unauthorized state changes.

Learning Outcomes

• Understand CSRF mechanics and preconditions
• Implement anti-CSRF tokens and double-submit
• Configure SameSite and secure cookies
• Favor idempotent and confirmatory flows
• Validate protections via automated tests

Hands-on Labs

Exploit a CSRF weakness, then iteratively apply and verify multiple defenses.

Design

Use defense-in-depth: tokens, SameSite, re-auth for risky changes, and user intent verification.