< Back





3. CSRF where token validation depends on token being present

This web application is vulnerable to CSRF. An API endpoint and its parameters are well known, and
actions can be taken using a user's cookie without verifying the redirecting page. The browser
reuses the cookie for this site and submits a POST request on the user's behalf, forging the
request. Usually a CSRF token is used to prevent this, however, the server only checks if the token
is present, not if it is correct.


Solution