A cross-site request forgery (CSRF) attempts to execute an action rather than trying to steal personal data. Once an attack is executed there is no way for the attacker to directly monitor the result so attackers often execute multiple forgeries.
The attack can come from malicious emails, websites, or blogs, and targets another open website that a user has already logged into. When a basic user is targeted, the goal for the attacker is usually changing a password or transferring currency. When an administrative user is targeted, a successful CSRF attack can compromise an entire web application.
Assume you are banking with BigBank. You want to check your balance so you log in to your account at BigBank.com. During the process of checking your balance you decide to check something urgent on DangerousWebsite.com. Malicious attackers have added the following line of code on DangerousWebsite.com
<iframe src="http://bigbank.com/app/transferFunds?amount=5000&destinationAccount=... >
When you visit the malicious website a CSRF attack is carried out against BigBank.com and 5,000 dollars is stolen from your account. The attack could have been prevented through the use of synchronizer tokens or double submit cookies. It could also have been prevented by only having one window open when performing sensitive actions and remembering to log out at the end of a session.
CSRF attacks are a serious issue that can cost a company a significant amount of resources. Having to sort through customers that have undergone attacks takes time and issuing refunds for the actions of malicious attackers equates to lost profits.
In 2014 a study by WhiteHat concluded that it took over 100 days to resolve issues that arose from CSRF across almost all programming languages. Implementing CSRF preventive security measures from the beginning saves both time and money in the long run.