CSRF (Cross-Site Request Forgery)
// Definition
An attack that tricks an authenticated user's browser into sending a state-changing request to a site they are logged into, without their knowledge. Because the browser automatically attaches session cookies, the target server sees a legitimate-looking request. Classic mitigations: synchroniser tokens (a server-issued nonce added to forms and verified on submission), SameSite cookie attributes, and checking the Origin or Referer header. From a QA perspective: every state-changing endpoint (POST, PUT, PATCH, DELETE) should require a valid CSRF token or rely on SameSite=Strict/Lax cookies.
// Why it matters
CSRF rides a logged-in user's cookies to perform actions they didn't intend — a malicious page silently POSTs to your app using the victim's session. QA matters because the defence (anti-CSRF tokens, SameSite cookies) is easy to misconfigure and easy to forget to test: the request looks valid because, to the server, it is.
// How to test
// A state-changing request WITHOUT the CSRF token must be rejected
cy.getCookie('session').should('exist')
cy.request({
method: 'POST',
url: '/api/account/email',
body: { email: 'attacker@evil.com' },
// deliberately omit the X-CSRF-Token header
failOnStatusCode: false,
}).its('status').should('eq', 403)// Common mistakes
- Protecting POST but leaving state-changing GET endpoints open
- Accepting the token from a place an attacker can set (a query param)
- Relying on
SameSite=Laxalone for top-level POST navigations
// Related terms
Session
A server-side or client-side record that persists a user's authenticated state across requests. Sessions are created on login, referenced by a session ID sent in a cookie or header, and invalidated on logout or expiry. Testing considerations include: session fixation (attacker sets the victim's session ID before login), failure to rotate the ID after privilege escalation, excessively long session lifetimes that extend exposure after credential compromise, and whether logout actually invalidates the server-side session.
Token
A portable credential — typically a signed string — that a server issues and a client presents on subsequent requests to prove identity or authorisation. Tokens are stateless alternatives to server-side sessions; the server can verify them without a database lookup. Common forms: opaque bearer tokens (random strings referenced in a database), JWTs (self-contained with claims and a signature), and OAuth access tokens (short-lived grants scoped to specific resources). Key testing considerations: token expiry, revocation, scope enforcement, and transmission security (HTTPS-only, no logging).
OWASP
Open Worldwide Application Security Project — a non-profit publishing free security guidance, including the OWASP Top 10 list of the most critical web application risks. The default reference for application security testing.
XSS (Cross-Site Scripting)
An attack where attacker-controlled JavaScript executes in another user's browser, often via unescaped input rendered into HTML. Categories include reflected, stored, and DOM-based. Mitigated by output encoding and a strict Content Security Policy.