CSRF- Netflix and Youtube are victims of it

Photo by Samet Özer on Unsplash

The fundamental of CSRF

CSRF’s full name is Cross-Site Request Forgery (Another name is XSRF). This vulnerability is quite common, and Netflix and Youtube have also been victims of vulnerability.

The fundamental of CSRF
  1. First, the user must log in to the page they need (Temporarily called site A).
  2. To seduce users, hackers will create a malicious website.
  3. When a user accesses this malicious web, a request will be sent to the A site that the hacker wants to attack (via form, img, …).
  4. Because ,there is a cookie attached to the user in this request, site A will mistakenly believe that this is a request made by the user.
  5. Hackers can impersonate users to do actions such as changing passwords, transferring money, …

Common types of attacks

Type 1. Use forms

Once upon a time, there were two brothers from this family named A and B.
One day, arguing with his wife, A was so sad he wanted to leave for the massage. Unfortunately, they asked to ask for the address no one gave because A credit was too low.

Real site
Fake Site

Type 2. Use img tag

The story is not over yet. There is a massage place, but his wife holds the money; a does not have money to do the massage. A decided to hack B’s bank account.

Prevention for website

Photo by Jeffrey F Lin on Unsplash
  • Use CSRF Token: In each form or request, we attach a CSRF token. This token is created based on the user’s session. When sending to the server, we check the authenticity of this session. Because this token is randomly generated based on session, hackers cannot fake it (frameworks like RoR, CodeIgniter, ASP.NET MVC all support CSRF token).
  • Check the Referer and Origin values ​​in the header: Origin tells us the website calls this request. This value is included in each request and cannot be edited by the hacker. Check for this value; if it is a strange page, then do not process the request.
  • Check the X-Requested-With: Request header that contains this header is a secure request because this header prevents us from sending requests to other domains (details).
  • Be careful to prevent XSS errors: With XSS, hackers can install malicious code on the website to attack. At this point, all anti-CSRF methods such as tokens, referrers are disabled.


In the old days, this bug was quite serious and common. Recently, frameworks are mostly defaults against this error, so they encounter less frequency. However, we still have to be careful, especially the websites that code themselves (especially PHP code).

Sources for further reference:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



Always be nice to anybody who has access to my toothbrush.