Cross-Site Request Forgery (missing token)

What it is

State-changing forms without an anti-CSRF token, allowing other sites to submit actions as a logged-in user.

How attackers abuse it

An attacker tricks a logged-in user's browser into making a state-changing request to your site without them knowing, like changing their email or making a purchase, because the browser sends their cookies automatically.

Attacker playbook

1. 1Find a state-changing form or request that relies only on cookies.
2. 2Build a page that auto-submits that request in the background.
3. 3When a logged-in victim visits it, the action runs as them.

How VibeSec detects and confirms it

VibeSec tests for this with an active scan, which runs only on targets you confirm you own or are authorized to test. We detect and confirm it using VibeSec native. When a payload actually proves the issue, it is reported as a confirmed finding rather than a guess.

If this is in your report: how to fix it

• Add anti-CSRF tokens to every state-changing request.
• Set session cookies to SameSite=Lax or Strict.
• Require re-authentication for sensitive actions.