DEV Community: Yuriy Safronnynov The latest articles on DEV Community by Yuriy Safronnynov (@safron). https://dev.to/safron https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3855988%2F35f6f1ac-5cd1-4506-9c2a-cdac3ae2ac0b.jpg DEV Community: Yuriy Safronnynov https://dev.to/safron en CSRF. The Bug That Looks Like Legitimate Traffic Yuriy Safronnynov Sun, 12 Apr 2026 14:00:00 +0000 https://dev.to/safron/csrf-the-bug-that-looks-like-legitimate-traffic-1l55 https://dev.to/safron/csrf-the-bug-that-looks-like-legitimate-traffic-1l55 <p>Your admin panel processes a state-changing request. The user is authenticated. The session cookie is valid. The server accepts it. The attacker wins.</p> <p>This is not a dramatic exploit. It is the server doing its job, faithfully executing a request it was never supposed to accept, because nobody thought to ask where the request actually came from.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy2lfv5pohovmfoulhzkc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy2lfv5pohovmfoulhzkc.png" alt="Vulnerable Path, CSRF Attack Flow, Secure Path" width="800" height="417"></a></p> <h2> TL;DR </h2> <ul> <li>CSRF lets an attacker forge authenticated requests from a victim's browser. The server sees a valid session and executes the action.</li> <li>CVE-2024-1538 exposed over 1 million WordPress sites via missing nonce validation. CVSS 8.8. Patched in File Manager 7.2.5.</li> <li>Happy-path tests never catch this. You have to explicitly test the rejection path: missing token, invalid token, no state mutation.</li> <li>Three layers of prevention: synchronizer tokens at middleware level, SameSite cookie attributes, Origin header validation.</li> <li>AI-generated test suites create false confidence here. They test the correct flow, not the forged one.</li> </ul> <h2> What it is </h2> <p>Cross-Site Request Forgery tricks an authenticated user's browser into sending a request to your application on behalf of an attacker. The browser does what browsers do: it automatically attaches session cookies to every request. The server sees a valid cookie and processes the request. The user never saw the form that submitted it.</p> <p>The technical condition that makes this possible: HTTP cookies are sent automatically on every matching request regardless of origin. If your server does not verify that a state-changing request came from your own application, any page on the web can forge one.</p> <p>Developers introduce this without malice. They build the happy path, test the happy path, and ship the happy path. Cross-origin validation is not something most developers think about while building a file rename feature. In code review, reviewers look for logic errors, but never for the presence of CSRF tokens on every mutating endpoint.</p> <p>The attack surface is the assumption that <strong>authenticated</strong> means <strong>authorized-to-have-submitted-this-form</strong>.</p> <h2> Real world damage </h2> <p><strong>CVE-2024-1538 · WordPress File Manager · March 2024 · CVSS 8.8</strong></p> <p>In March 2024, a CSRF vulnerability was disclosed in the WordPress File Manager plugin, active on over 1 million websites. The flaw stemmed from missing nonce validation on the <code>wp_file_manager</code> page when handling the <code>lang</code> parameter.</p> <p>An attacker could trick an authenticated administrator into clicking a crafted link, which would include a local JavaScript file into the application and open the door to remote code execution.</p> <p>No credentials required. No brute force. Only a logged-in admin who <br> clicked something.</p> <blockquote> <p>Source: <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-1538" rel="noopener noreferrer">NVD CVE-2024-1538</a>, <br> published March 21, 2024. Affected all versions up to 7.2.4. <br> Patched in 7.2.5. Credit: Wordfence for responsible disclosure.</p> </blockquote> <p>A QA engineer running cross-origin state-change tests before 7.2.5 <br> would have caught this. The test is not complex: submit a mutating <br> request with a missing or incorrect nonce and assert the server rejects it. That test did not exist. The vulnerability shipped to a million sites.</p> <h2> The invisible bug problem </h2> <p>Happy-path tests authenticate as a real user and send requests exactly as the application intends. That is the problem. <br> CSRF is not about whether the endpoint works correctly for a legitimate request. It is about whether the server validates that the request is legitimate at all.</p> <p>Your test suite exercises the authenticated user path and passes. The attack exploits the same path from an external origin and also passes, from the server's perspective.</p> <p>The bug only surfaces when the test asks a different question:</p> <blockquote> <p>Does this endpoint accept a state-changing request that arrives <br> without a valid CSRF token?</p> </blockquote> <p>Standard test suites never ask that. They test that the endpoint <br> responds correctly. They do not test that the endpoint <strong>refuses incorrectly</strong>.</p> <h2> How QA engineers catch it </h2> <p>The core principle: every state-changing endpoint must reject requests that arrive without a valid CSRF token. Your suite needs to verify the <strong>rejection path</strong>, not just the success path.</p> <h3> PyTest </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">pytest</span> <span class="kn">import</span> <span class="n">requests</span> <span class="n">BASE_URL</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://your-app.com</span><span class="sh">"</span> <span class="nd">@pytest.fixture</span> <span class="k">def</span> <span class="nf">auth_session</span><span class="p">():</span> <span class="n">session</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nc">Session</span><span class="p">()</span> <span class="n">session</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE_URL</span><span class="si">}</span><span class="s">/login</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">username</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">password</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">test_password</span><span class="sh">"</span> <span class="p">})</span> <span class="k">return</span> <span class="n">session</span> <span class="k">def</span> <span class="nf">test_csrf_empty_token_returns_403</span><span class="p">(</span><span class="n">auth_session</span><span class="p">):</span> <span class="c1"># CVE-2024-1538 pattern: missing nonce = server must reject </span> <span class="n">response</span> <span class="o">=</span> <span class="n">auth_session</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE_URL</span><span class="si">}</span><span class="s">/admin/file/rename</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">old_name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">file.txt</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">new_name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">hacked.txt</span><span class="sh">"</span><span class="p">},</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">X-CSRF-Token</span><span class="sh">"</span><span class="p">:</span> <span class="sh">""</span><span class="p">}</span> <span class="p">)</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">403</span> <span class="k">def</span> <span class="nf">test_csrf_forged_token_returns_403</span><span class="p">(</span><span class="n">auth_session</span><span class="p">):</span> <span class="c1"># attacker-controlled token value must be rejected </span> <span class="n">response</span> <span class="o">=</span> <span class="n">auth_session</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE_URL</span><span class="si">}</span><span class="s">/admin/file/rename</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">old_name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">file.txt</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">new_name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">hacked.txt</span><span class="sh">"</span><span class="p">},</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">X-CSRF-Token</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">attacker-forged-token-abc123</span><span class="sh">"</span><span class="p">}</span> <span class="p">)</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">403</span> <span class="k">def</span> <span class="nf">test_csrf_no_state_mutation</span><span class="p">(</span><span class="n">auth_session</span><span class="p">):</span> <span class="c1"># 403 is necessary but not sufficient — assert state did not change </span> <span class="n">auth_session</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE_URL</span><span class="si">}</span><span class="s">/admin/file/rename</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">old_name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">file.txt</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">new_name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">hacked.txt</span><span class="sh">"</span><span class="p">},</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">X-CSRF-Token</span><span class="sh">"</span><span class="p">:</span> <span class="sh">""</span><span class="p">}</span> <span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="n">auth_session</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE_URL</span><span class="si">}</span><span class="s">/admin/files</span><span class="sh">"</span><span class="p">)</span> <span class="n">files</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()[</span><span class="sh">"</span><span class="s">files</span><span class="sh">"</span><span class="p">]</span> <span class="k">assert</span> <span class="sh">"</span><span class="s">hacked.txt</span><span class="sh">"</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">files</span> <span class="k">assert</span> <span class="sh">"</span><span class="s">file.txt</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">files</span> </code></pre> </div> <p>A 403 status is necessary but not sufficient. If the server returns 403 but still processes the action, you have a different kind of bug. <br> <strong>Assert the state, not just the status.</strong></p> <h3> Robot Framework </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>*** Settings *** Library RequestsLibrary *** Variables *** ${BASE_URL} https://your-app.com *** Test Cases *** CSRF Empty Token On File Rename Returns 403 # CVE-2024-1538: missing nonce on file manager endpoint Create Session app ${BASE_URL} ${headers}= Create Dictionary X-CSRF-Token=${EMPTY} ${response}= POST On Session app /admin/file/rename ... json={"old_name": "file.txt", "new_name": "hacked.txt"} ... headers=${headers} Should Be Equal As Strings ${response.status_code} 403 CSRF Forged Token On File Rename Returns 403 Create Session app ${BASE_URL} ${headers}= Create Dictionary ... X-CSRF-Token=attacker-forged-token-abc123 ${response}= POST On Session app /admin/file/rename ... json={"old_name": "file.txt", "new_name": "hacked.txt"} ... headers=${headers} Should Be Equal As Strings ${response.status_code} 403 CSRF Missing Token On Lang Parameter Returns 403 # mirrors exact CVE-2024-1538 attack surface: # lang parameter on wp_file_manager with no nonce validation Create Session app ${BASE_URL} ${headers}= Create Dictionary X-CSRF-Token=${EMPTY} ${response}= POST On Session app /admin/file-manager ... json={"lang": "../../../malicious.js"} ... headers=${headers} Should Be Equal As Strings ${response.status_code} 403 CSRF No State Mutation When Token Missing Create Session app ${BASE_URL} ${headers}= Create Dictionary X-CSRF-Token=${EMPTY} POST On Session app /admin/file/rename ... json={"old_name": "file.txt", "new_name": "hacked.txt"} ... headers=${headers} ${files_response}= GET On Session app /admin/files Should Not Contain ${files_response.json()["files"]} hacked.txt Should Contain ${files_response.json()["files"]} file.txt </code></pre> </div> <h3> TypeScript — Playwright API testing </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">test</span><span class="p">,</span> <span class="nx">expect</span><span class="p">,</span> <span class="nx">APIRequestContext</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@playwright/test</span><span class="dl">'</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">apiContext</span><span class="p">:</span> <span class="nx">APIRequestContext</span><span class="p">;</span> <span class="nx">test</span><span class="p">.</span><span class="nf">beforeAll</span><span class="p">(</span><span class="k">async </span><span class="p">({</span> <span class="nx">playwright</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">apiContext</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">playwright</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nf">newContext</span><span class="p">({</span> <span class="na">baseURL</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://your-app.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// authenticate once, reuse session across all CSRF tests</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">username</span><span class="p">:</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="dl">'</span><span class="s1">test_password</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">test</span><span class="p">.</span><span class="nf">afterAll</span><span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">dispose</span><span class="p">();</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">CSRF — empty token on file rename returns 403</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// CVE-2024-1538 pattern: missing nonce = server must reject</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/admin/file/rename</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">old_name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">file.txt</span><span class="dl">'</span><span class="p">,</span> <span class="na">new_name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">hacked.txt</span><span class="dl">'</span> <span class="p">},</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">X-CSRF-Token</span><span class="dl">'</span><span class="p">:</span> <span class="dl">''</span> <span class="p">}</span> <span class="p">});</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nf">status</span><span class="p">()).</span><span class="nf">toBe</span><span class="p">(</span><span class="mi">403</span><span class="p">);</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">CSRF — forged token on file rename returns 403</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// attacker-controlled token value must be rejected</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/admin/file/rename</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">old_name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">file.txt</span><span class="dl">'</span><span class="p">,</span> <span class="na">new_name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">hacked.txt</span><span class="dl">'</span> <span class="p">},</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">X-CSRF-Token</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">attacker-forged-token-abc123</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nf">status</span><span class="p">()).</span><span class="nf">toBe</span><span class="p">(</span><span class="mi">403</span><span class="p">);</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">CSRF — missing token on lang parameter returns 403</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// mirrors exact CVE-2024-1538 attack surface:</span> <span class="c1">// lang parameter on wp_file_manager page, no nonce validation</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/admin/file-manager</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">lang</span><span class="p">:</span> <span class="dl">'</span><span class="s1">../../../malicious.js</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nf">status</span><span class="p">()).</span><span class="nf">toBe</span><span class="p">(</span><span class="mi">403</span><span class="p">);</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">CSRF — no state mutation when token is missing</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/admin/file/rename</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">old_name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">file.txt</span><span class="dl">'</span><span class="p">,</span> <span class="na">new_name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">hacked.txt</span><span class="dl">'</span> <span class="p">},</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">X-CSRF-Token</span><span class="dl">'</span><span class="p">:</span> <span class="dl">''</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// state must be unchanged — file must not have been renamed</span> <span class="kd">const</span> <span class="nx">files</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/admin/files</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">files</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">body</span><span class="p">.</span><span class="nx">files</span><span class="p">).</span><span class="nx">not</span><span class="p">.</span><span class="nf">toContain</span><span class="p">(</span><span class="dl">'</span><span class="s1">hacked.txt</span><span class="dl">'</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">body</span><span class="p">.</span><span class="nx">files</span><span class="p">).</span><span class="nf">toContain</span><span class="p">(</span><span class="dl">'</span><span class="s1">file.txt</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">CSRF — valid token on file rename succeeds</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// confirm the protection does not block legitimate requests</span> <span class="kd">const</span> <span class="nx">tokenResponse</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/csrf-token</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">token</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tokenResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">apiContext</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/admin/file/rename</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">old_name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">file.txt</span><span class="dl">'</span><span class="p">,</span> <span class="na">new_name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">renamed.txt</span><span class="dl">'</span> <span class="p">},</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">X-CSRF-Token</span><span class="dl">'</span><span class="p">:</span> <span class="nx">token</span> <span class="p">}</span> <span class="p">});</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nf">status</span><span class="p">()).</span><span class="nf">toBe</span><span class="p">(</span><span class="mi">200</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Run CSRF tests in isolation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx playwright <span class="nb">test</span> <span class="nt">--grep</span> <span class="s2">"CSRF"</span> </code></pre> </div> <p><code>playwright.config.ts</code> for CI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">defineConfig</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@playwright/test</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">defineConfig</span><span class="p">({</span> <span class="na">testDir</span><span class="p">:</span> <span class="dl">'</span><span class="s1">./tests/security</span><span class="dl">'</span><span class="p">,</span> <span class="na">use</span><span class="p">:</span> <span class="p">{</span> <span class="na">baseURL</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">APP_URL</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">https://your-app.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">projects</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">csrf-security</span><span class="dl">'</span><span class="p">,</span> <span class="na">testMatch</span><span class="p">:</span> <span class="dl">'</span><span class="s1">**/csrf.spec.ts</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> <span class="p">]</span> <span class="p">});</span> </code></pre> </div> <h3> CI/CD gate </h3> <p>These tests belong in GitLab CI as a <strong>blocking job on every merge <br> request</strong> — not an optional security scan that runs weekly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">csrf-security-tests</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">test</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pytest tests/security/test_csrf.py -v</span> <span class="pi">-</span> <span class="s">npx playwright test --grep "CSRF"</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s1">'</span><span class="s">$CI_PIPELINE_SOURCE</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">"merge_request_event"'</span> <span class="na">allow_failure</span><span class="pi">:</span> <span class="kc">false</span> </code></pre> </div> <p>A 200 response on a missing-token request is an unambiguous pipeline failure condition. Pair with a Semgrep static analysis job that scans for route handlers missing CSRF middleware — the static check catches the pattern before deployment, the runtime tests confirm enforcement in the running application.</p> <h3> Burp Suite </h3> <p>Before writing a single automated test, use Burp Suite to map your <br> attack surface. Intercept a legitimate authenticated request to an admin endpoint, strip the CSRF token from the headers, and replay it. If it returns 200, you have a confirmed finding. Ten minutes per endpoint tells you where the gaps are before you spend time automating.</p> <h3> Environment note </h3> <p>Running CSRF tests locally is not the same as running them against your full stack. Some CDN edge configurations strip custom headers, including your CSRF token, before the request reaches the application server. A request that correctly returns 403 locally may return 200 in staging because the CDN silently dropped the token. Always run your CSRF suite against an environment that mirrors the full production network path.</p> <p>🔬 <strong>Practice this yourself:</strong> <a href="https://yuriysafron.com/qa-sandbox/csrf/" rel="noopener noreferrer">yuriysafron.com/qa-sandbox/csrf</a></p> <h2> Why AI fails here </h2> <p>When a team asks GitHub Copilot to generate CSRF tests, what they get is a test that logs in, submits a form with a valid token, and asserts a 200 response. The test passes. The team sees green and believes they have CSRF coverage.</p> <p>They have a happy-path test with a CSRF token in it. That is not the same thing.</p> <p>The structural reason LLMs cannot reason about this vulnerability class: <strong>CSRF is a relationship between origins, not a property of a single request.</strong> <br> LLMs generate tests in isolation. They model what a correct request looks like. They do not model what a forged request from an attacker-controlled page looks like.</p> <p>The concrete failure: a team ships a new admin file management module. All AI-generated tests pass. A researcher finds CVE-2024-1538 class behavior three weeks after release. The rename endpoint accepts requests with no token at all. The AI-generated suite never submitted a request without a token. The bug was always there. The suite never asked the question that would have found it.</p> <h2> How to prevent </h2> <p><strong>1. Synchronizer token pattern</strong> — implement at the middleware level across every state-changing endpoint. Framework-level enforcement means indvidual developers cannot accidentally skip validation on new endpoints. If each developer must remember to add the check manually, someone will forget. Put it in the middleware.</p> <p><strong>2. SameSite cookie attributes</strong> — <code>SameSite=Strict</code> or <code>SameSite=Lax</code> instructs the browser not to send cookies on cross-origin requests. Defense-in-depth, not a replacement for token validation. Older clients and certain redirect flows can bypass <code>SameSite=Lax</code>.</p> <p><strong>3. Origin and Referer header validation</strong> — the server checks that the <code>Origin</code> header matches its own domain. If it does not match, reject the request. Reliable secondary control when combined with the other two.</p> <p>Prevention only works if your test suite actively verifies each of these controls is enforced. A token pattern that is implemented but never tested is a token pattern that someone will quietly remove in a refactor and you will not know until production.</p> <h2> Conclusion </h2> <p>Working on a cybersecurity platform protecting U.S. critical <br> infrastructure and multiple branches of the U.S. military gives you a specific perspective on what a missed test actually costs.</p> <p>CSRF is not an academic edge case in that environment. It is the kind of gap that ends careers and makes headlines.</p> <p>The tests that matter most are never the ones that verify the feature works. They are the ones that verify the system <strong>refuses to do the wrong thing</strong>. CSRF lives exactly in that gap and most teams have never written a test that looks for it.</p> <p><em>Which endpoint in your current system would fail this test right now?</em></p> <p><em>Part of the **Break It on Purpose</em>* series - published weekly for QA engineers and SDETs who find bugs before attackers do.*</p> <p>🔬 Practice sandbox: <a href="https://yuriysafron.com/qa-sandbox" rel="noopener noreferrer">yuriysafron.com/qa-sandbox</a><br><br> 🔗 <a href="https://linkedin.com/in/yuriy-safronnynov" rel="noopener noreferrer">linkedin.com/in/yuriysafronnynov</a></p> security testing python webdev