What it is#
exploits the browser’s ambient authority. When a user is logged into bank.example.com and then visits attacker.example.com, an HTML form or fetch on the attacker’s page can submit a state-changing request to the bank — transfer money, change email, delete data — and the browser will attach the bank’s session cookie automatically. The server cannot distinguish the request from a legitimate one originating on its own pages.
Why it matters#
turns any state-changing endpoint that trusts cookies into a drive-by weapon. Historically it has been exploited against routers, admin consoles, and banking interfaces. GET endpoints that mutate state are especially easy targets because a simple <img> tag fires the request.
Mitigation direction#
Adopt SameSite=Lax or SameSite=Strict cookies as the first line of defence. For endpoints that accept cross-origin POST from trusted partners, require a per-session anti- token carried in a custom header the browser only sets on same-origin requests. Validate the Origin and Referer headers on sensitive state-changing routes.