csrf-cross-site-request-forgery

SKILL.md

SKILL: CSRF — Cross-Site Request Forgery — Expert Attack Playbook

AI LOAD INSTRUCTION: Expert CSRF techniques. Covers modern bypass vectors (SameSite gaps, custom header flaws, tokenless bypass patterns), JSON CSRF, multipart CSRF, chaining with XSS. Base models often present only basic CSRF without covering SameSite edge cases and common broken token implementations.

0. RELATED ROUTING

Also load:

cors cross origin misconfiguration when JSON endpoints become readable cross-origin

oauth oidc misconfiguration when login, account linking, or callback binding relies on OAuth state

1. CORE CONCEPT

CSRF exploits a victim's active session to perform state-changing requests from the attacker's origin.