Cybersecurityknowledge~30 mins

Cross-site request forgery (CSRF) in Cybersecurity - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Practice Challenge Project Recall Time

Understanding Cross-site Request Forgery (CSRF)

📖 Scenario: You are learning about web security. One common attack is called Cross-site Request Forgery (CSRF). It tricks a user's browser into sending unwanted requests to a website where the user is logged in.Imagine you have a simple website where users can update their email address. Without protection, an attacker could make a user unknowingly change their email by visiting a malicious page.

🎯 Goal: Build a step-by-step understanding of how CSRF works and how to protect against it by using a secret token in web forms.

📋 What You'll Learn

Create a dictionary representing a user session with a CSRF token

Add a variable for the expected CSRF token value

Write a function that checks if a submitted token matches the expected token

Complete the example by showing how to verify the token before updating user data

💡 Why This Matters

🌍 Real World

CSRF protection is essential for any website that allows users to perform actions while logged in, such as changing settings or making purchases.

💼 Career

Understanding CSRF helps web developers and security professionals protect applications from unauthorized actions caused by malicious websites.

Progress0 / 4 steps

Create a user session dictionary with a CSRF token

Create a dictionary called user_session with these exact entries: 'user_id': 101, 'csrf_token': 'abc123xyz'

Cybersecurity

# Create the user_session dictionary with user_id and csrf_token
# Your code here

Need a hint?

Think of user_session as a small box holding user info and a secret token.

Add a variable for the expected CSRF token

Create a variable called expected_token and set it to the string 'abc123xyz'

Cybersecurity

user_session = {'user_id': 101, 'csrf_token': 'abc123xyz'}
# Create expected_token variable with the CSRF token string
# Your code here

Need a hint?

This token is what the server expects to receive from a valid form submission.

Write a function to check the CSRF token

Define a function called is_valid_csrf that takes one parameter token and returns True if token equals expected_token, otherwise False

Cybersecurity

user_session = {'user_id': 101, 'csrf_token': 'abc123xyz'}
expected_token = 'abc123xyz'
# Define is_valid_csrf(token) function to compare token with expected_token
# Your code here

Need a hint?

This function helps the server decide if the request is safe by checking the token.

Complete the example by verifying the CSRF token before updating

Write code that sets a variable submitted_token to 'abc123xyz' and then uses is_valid_csrf(submitted_token) in an if statement to simulate allowing an email update only if the token is valid

Cybersecurity

user_session = {'user_id': 101, 'csrf_token': 'abc123xyz'}
expected_token = 'abc123xyz'

def is_valid_csrf(token):
    return token == expected_token

# Set submitted_token and check it with is_valid_csrf
# Your code here

Need a hint?

This final step shows how the server uses the token check to protect user actions.