> ## Documentation Index
> Fetch the complete documentation index at: https://rootea.es/llms.txt
> Use this file to discover all available pages before exploring further.

# CSRF (Cross-Site Request Forgery)

> Cross-platform resources for CSRF (Cross-Site Request Forgery): curated HTB machines, PortSwigger labs and TryHackMe rooms with validated writeups and related skills.

# CSRF (Cross-Site Request Forgery)

This page aggregates **cross-platform resources to practice CSRF (Cross-Site Request Forgery)**: retired Hack The Box machines, PortSwigger Web Security Academy labs and TryHackMe rooms, plus curated resources (HackTricks, PortSwigger, etc.) and related skills.

## Curated resources

| Source      | Link                                                                                   |
| ----------- | -------------------------------------------------------------------------------------- |
| PortSwigger | [https://portswigger.net/web-security/csrf](https://portswigger.net/web-security/csrf) |

## HTB machines practicing CSRF (Cross-Site Request Forgery) (2)

| Machine                                             | OS      | Difficulty                                           |
| --------------------------------------------------- | ------- | ---------------------------------------------------- |
| [CrossFit](/en/htb/machines/linux/insano/crossfit)  | Linux   | <span className="dbadge dbadge-insane">INSANE</span> |
| [SecNotes](/en/htb/machines/windows/medio/secnotes) | Windows | <span className="dbadge dbadge-medium">MEDIUM</span> |

## PortSwigger labs practicing CSRF (Cross-Site Request Forgery) (15)

| Lab                                                                                                                                                                            | Difficulty                                                 | Topic                             | Official                                                                                                                                  |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------- | --------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
| [Basic clickjacking with CSRF token protection](/en/portswigger/labs/clickjacking/basic-csrf-protected)                                                                        | <span className="dbadge dbadge-easy">APPRENTICE</span>     | Clickjacking                      | [Open](https://portswigger.net/web-security/clickjacking/lab-basic-csrf-protected)                                                        |
| [CSRF vulnerability with no defenses](/en/portswigger/labs/csrf/no-defenses)                                                                                                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/lab-no-defenses)                                                                         |
| [CSRF where Referer validation depends on header being present](/en/portswigger/labs/csrf/bypassing-referer-based-defenses-referer-validation-depends-on-header-being-present) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/bypassing-referer-based-defenses/lab-referer-validation-depends-on-header-being-present) |
| [CSRF where token is duplicated in cookie](/en/portswigger/labs/csrf/bypassing-token-validation-token-duplicated-in-cookie)                                                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-duplicated-in-cookie)                               |
| [CSRF where token is not tied to user session](/en/portswigger/labs/csrf/bypassing-token-validation-token-not-tied-to-user-session)                                            | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-not-tied-to-user-session)                           |
| [CSRF where token is tied to non-session cookie](/en/portswigger/labs/csrf/bypassing-token-validation-token-tied-to-non-session-cookie)                                        | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-tied-to-non-session-cookie)                         |
| [CSRF where token validation depends on request method](/en/portswigger/labs/csrf/bypassing-token-validation-token-validation-depends-on-request-method)                       | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-validation-depends-on-request-method)               |
| [CSRF where token validation depends on token being present](/en/portswigger/labs/csrf/bypassing-token-validation-token-validation-depends-on-token-being-present)             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-validation-depends-on-token-being-present)          |
| [CSRF with broken Referer validation](/en/portswigger/labs/csrf/bypassing-referer-based-defenses-referer-validation-broken)                                                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/bypassing-referer-based-defenses/lab-referer-validation-broken)                          |
| [Exploiting XSS to bypass CSRF defenses](/en/portswigger/labs/cross-site-scripting/exploiting-perform-csrf)                                                                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | Cross-Site Scripting (XSS)        | [Open](https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-perform-csrf)                                             |
| [Performing CSRF exploits over GraphQL](/en/portswigger/labs/graphql/graphql-csrf-via-graphql-api)                                                                             | <span className="dbadge dbadge-medium">PRACTITIONER</span> | GraphQL                           | [Open](https://portswigger.net/web-security/graphql/lab-graphql-csrf-via-graphql-api)                                                     |
| [SameSite Lax bypass via cookie refresh](/en/portswigger/labs/csrf/bypassing-samesite-restrictions-samesite-strict-bypass-via-cookie-refresh)                                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-strict-bypass-via-cookie-refresh)           |
| [SameSite Lax bypass via method override](/en/portswigger/labs/csrf/bypassing-samesite-restrictions-samesite-lax-bypass-via-method-override)                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-lax-bypass-via-method-override)             |
| [SameSite Strict bypass via client-side redirect](/en/portswigger/labs/csrf/bypassing-samesite-restrictions-samesite-strict-bypass-via-client-side-redirect)                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-strict-bypass-via-client-side-redirect)     |
| [SameSite Strict bypass via sibling domain](/en/portswigger/labs/csrf/bypassing-samesite-restrictions-samesite-strict-bypass-via-sibling-domain)                               | <span className="dbadge dbadge-medium">PRACTITIONER</span> | CSRF (Cross-Site Request Forgery) | [Open](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-strict-bypass-via-sibling-domain)           |

## TryHackMe rooms practicing CSRF (Cross-Site Request Forgery) (2)

| Room                                                                   | Difficulty                                         | Type        | Access  | Official                                               |
| ---------------------------------------------------------------------- | -------------------------------------------------- | ----------- | ------- | ------------------------------------------------------ |
| [Custom Tooling Using Python](/en/tryhackme/rooms/customtoolingpython) | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🟢 Free | [Open](https://tryhackme.com/room/customtoolingpython) |
| [NahamStore](/en/tryhackme/rooms/nahamstore)                           | <span className="dbadge dbadge-easy">MEDIUM</span> | Challenge   | 🟢 Free | [Open](https://tryhackme.com/room/nahamstore)          |

***

← [Back to the full glossary](/en/glossary)

<script type="application/ld+json">
  {`{"@context":"https://schema.org","@type":"DefinedTerm","name":"CSRF (Cross-Site Request Forgery)","termCode":"csrf","inLanguage":"en","url":"https://rootea.es/en/skills/csrf","inDefinedTermSet":{"@type":"DefinedTermSet","name":"Tactical pentesting glossary","url":"https://rootea.es/en/glossary"}}`}
</script>

<script type="application/ld+json">
  {`{"@context":"https://schema.org","@type":"ItemList","name":"HTB machines practicing CSRF (Cross-Site Request Forgery)","numberOfItems":2,"itemListElement":[{"@type":"ListItem","position":1,"url":"https://rootea.es/en/htb/machines/linux/insano/crossfit","name":"CrossFit"},{"@type":"ListItem","position":2,"url":"https://rootea.es/en/htb/machines/windows/medio/secnotes","name":"SecNotes"}]}`}
</script>

*Last updated: 2026-06-07*
