Introduction
Internet aur web applications ka use aaj ke time me bahut zyada badh chuka hai. Banking, shopping, social media aur online services sab kuch web applications par depend karta hai. Lekin jahan internet hai wahan cyber attacks ka risk bhi hota hai. Web security ke andar ek bahut important aur dangerous attack hota hai CSRF Attack.
CSRF ka full form hota hai Cross-Site Request Forgery. Ye attack user ke browser ko misuse karke unauthorized actions perform karwa deta hai. Simple words me kahe to hacker user ko bina pata chale kisi website par unwanted request send karwa deta hai.
Agar user kisi website par already login hai aur hacker kisi malicious link ya page ke through request trigger kar deta hai to website us request ko legitimate maan leti hai. Isi wajah se CSRF attacks dangerous hote hain.
Is article me hum detail me samjhenge:
- CSRF Attack kya hota hai
- CSRF kaise kaam karta hai
- Real world examples
- CSRF aur XSS me difference
- CSRF attack se kaise bacha ja sakta hai
Ye guide beginners ke liye specially design ki gayi hai jo cyber security aur web application security seekh rahe hain.
CSRF Attack Kya Hai?
CSRF yani Cross Site Request Forgery ek web security vulnerability hai jisme attacker kisi authenticated user ke browser se malicious request send karwa deta hai.
Iska matlab hai ki agar user kisi website par login hai to attacker uske browser ko use karke us website par action perform karwa sakta hai.
Example ke liye agar user banking website me login hai aur hacker ek malicious request bhej deta hai to bank server us request ko genuine request samajh sakta hai.
Simple example se samjhte hain:
Agar aap bank website par login ho aur kisi malicious website par click kar do jahan ek hidden request ho:
https://bank.com/transfer?amount=10000&to=hacker
Agar bank server request ko verify nahi karta to money transfer ho sakta hai.
Isi type ke attack ko CSRF attack kaha jata hai.
CSRF Attack Kaise Kaam Karta Hai?
CSRF attack browser ke trust mechanism ka misuse karta hai. Jab user kisi website par login karta hai to server user ko ek session cookie deta hai.
Browser automatically har request ke sath ye cookie send karta hai.
Attack ka process kuch is tarah hota hai:
Step 1 – User login karta hai
User kisi website par login karta hai jaise bank ya social media.
Step 2 – Session active hota hai
Server user ko session cookie deta hai.
Step 3 – Attacker malicious link banata hai
Attacker ek malicious request ya link banata hai.
Step 4 – User malicious link open karta hai
User kisi phishing email ya website ke through malicious link open karta hai.
Step 5 – Request server tak pahunch jati hai
Browser automatically session cookie ke sath request send karta hai.
Step 6 – Server request accept kar leta hai
Server request ko genuine samajh leta hai aur action perform kar deta hai.
Is tarah attacker user ke account ka misuse kar sakta hai.
CSRF Attack Example
Chaliye ek practical example se CSRF attack samjhte hain.
Maan lijiye ek website hai:
examplebank.com
Aur usme money transfer karne ke liye request hoti hai:
examplebank.com/transfer?amount=5000&to=attacker
Agar server request ko verify nahi karta to hacker ek malicious page bana sakta hai jisme hidden form ho.
Example:
<form action="https://examplebank.com/transfer" method="POST">
<input type="hidden" name="amount" value="5000">
<input type="hidden" name="to" value="attacker">
</form>
Jab user us page ko open karega to browser automatically request send kar dega.
Server sochega ki request user ne bheji hai.
CSRF Attack Ke Types
CSRF attack alag-alag tariko se perform kiya ja sakta hai.
1. GET Based CSRF Attack
Is attack me malicious request URL ke through bheji jati hai.
Example:
https://example.com/change-password?newpass=12345
Agar user link par click karta hai to password change ho sakta hai.
2. POST Based CSRF Attack
Isme attacker hidden form ka use karta hai jo automatically submit ho jata hai.
Is type ka attack zyada dangerous hota hai kyunki user ko pata bhi nahi chalta.
3. Login CSRF
Is attack me hacker user ko attacker ke account me login karwa deta hai.
Iska use tracking aur data collection ke liye kiya ja sakta hai.
Real World CSRF Attack Examples
Real world me bhi CSRF attacks ka use hua hai.
Netflix CSRF Attack
Ek time par Netflix me CSRF vulnerability thi jiske through attacker user ke account details change kar sakta tha.
Gmail CSRF Vulnerability
Gmail me bhi ek CSRF vulnerability detect hui thi jisme attacker email forwarding settings change kar sakta tha.
Facebook CSRF Issue
Facebook me ek CSRF bug ke through attacker user ki profile settings change kar sakta tha.
Ye examples dikhate hain ki CSRF attack kitna serious ho sakta hai.
CSRF aur XSS Me Difference
Bahut log CSRF aur XSS attack ko same samajhte hain lekin dono alag hote hain.
CSRF Attack
- User ke authenticated session ka misuse karta hai
- User ke browser se request send karwata hai
- Server user par trust karta hai
XSS Attack
- Website me malicious script inject hoti hai
- Browser script execute karta hai
- Data steal kiya ja sakta hai
Dono web security vulnerabilities hain lekin working mechanism different hota hai.
CSRF Attack Ke Khatre
CSRF attacks ka impact bahut serious ho sakta hai.
Unauthorized Transactions
Banking websites me money transfer ho sakta hai.
Account Settings Change
User ka password ya email change ho sakta hai.
Data Manipulation
User ke account me malicious changes kiye ja sakte hain.
Privacy Risk
User ki personal information leak ho sakti hai.
Isi wajah se CSRF vulnerability ko web security me high risk mana jata hai.
CSRF Attack Se Kaise Bache
Developers aur website owners kuch security techniques use karke CSRF attacks se bach sakte hain.
1. CSRF Tokens
Sabse effective method hota hai CSRF token.
Server har request ke sath ek unique token generate karta hai. Agar token match nahi karta to request reject ho jati hai.
2. SameSite Cookies
Browser cookies me SameSite attribute set karke cross-site requests ko block kiya ja sakta hai.
Example:
Set-Cookie: session=12345; SameSite=Strict
3. Double Submit Cookie
Is technique me server aur client dono side se cookie verify ki jati hai.
4. Re-Authentication
Sensitive actions ke liye user ko password dobara enter karna padta hai.
Example:
- Password change
- Money transfer
5. CAPTCHA Protection
CAPTCHA use karke automated CSRF requests ko block kiya ja sakta hai.
Developers Ke Liye Important Security Tips
Agar aap web developer ho to kuch best practices follow karna zaroori hai.
- Har form me CSRF token use kare
- SameSite cookies enable kare
- Sensitive actions ke liye re-authentication kare
- HTTPS use kare
- Security testing tools use kare
CSRF Testing Tools
Cyber security professionals CSRF vulnerabilities detect karne ke liye kuch tools use karte hain.
Burp Suite
Web application testing ke liye popular tool.
OWASP ZAP
Free security testing tool.
CSRF Tester
Specialized CSRF testing tool.
Ye tools vulnerabilities detect karne me help karte hain.
FAQs
Q1: CSRF ka full form kya hai?
CSRF ka full form hai Cross Site Request Forgery.
Q2: Kya CSRF attack dangerous hota hai?
Haan, ye user ke account me unauthorized actions perform kar sakta hai.
Q3: CSRF aur XSS me kya difference hai?
CSRF user ke authenticated session ka misuse karta hai jabki XSS malicious scripts inject karta hai.
Q4: CSRF attack se kaise bach sakte hain?
CSRF tokens, SameSite cookies aur CAPTCHA use karke attack ko prevent kiya ja sakta hai.
Conclusion
CSRF attack web application security me ek serious vulnerability hai jo user ke authenticated session ka misuse karta hai. Agar website proper security measures use nahi karti to attacker user ke account se unauthorized actions perform kar sakta hai.
Developers ko CSRF tokens, SameSite cookies aur strong authentication mechanisms use karne chahiye taaki web applications secure rahen.
Agar aap cyber security ya ethical hacking seekh rahe ho to CSRF attack ko samajhna bahut important hai kyunki ye OWASP Top 10 vulnerabilities me bhi include hota hai.
Regular security testing aur best practices follow karke websites ko CSRF attacks se secure banaya ja sakta hai.
What’s Next?
Next Guide:
Malware Kya Hota Hai? Types, Real Examples aur Prevention Guide (2026)
Important Note
Ye content sirf educational purpose aur cyber security awareness ke liye share kiya gaya hai. Bina permission kisi website ya system par testing karna illegal ho sakta hai.
