Cross-Site Request Forgery (CSRF): Understanding and Testing State-Changing Attacks for Australian Enterprises

Cross-Site Request Forgery (CSRF) tricks an authenticated user's browser into making unintended requests to a web application where they're logged in. If successful, the attacker can perform any action the user is authorised to perform — changing account settings, initiating transfers, or modifying data. Modern defences include CSRF tokens (unique per-session or per-request tokens that the attacker cannot predict), SameSite cookie attributes (preventing cookies from being sent in cross-origin requests), and custom request headers (which cannot be set by cross-origin requests). Testing verifies that these defences are properly implemented: are CSRF tokens present on all state-changing forms? Are they validated server-side? Do SameSite attributes cover all sensitive cookies? Can any bypass techniques circumvent the protections?