InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties…

Follow publication

Member-only story

CSRF in 2025: “Solved” But Still Bypassable

--

A few years ago, if you reported a Cross-Site Request Forgery (CSRF) vulnerability, many companies would shrug it off. “We use SameSite cookies.” “CSRF tokens are in place.” “This isn’t exploitable anymore.”

Yet here we are in 2025, and CSRF bypasses are still happening.

They don’t look like the old-school “force a logged-in user to change their email” type of attacks anymore. They’re sneakier. They exploit modern web APIs, misconfigured OAuth flows, and CORS screw-ups that make apps think they’re safe when they’re really not.

Let me walk you through how attackers are still pulling off CSRF in 2025 — and why developers keep getting it wrong.

The “CSRF is Dead” Myth

A lot of developers think SameSite cookies solved CSRF forever. They’re not wrong — if configured correctly.

But in bug bounty hunting, you don’t look for perfect implementations. You look for misconfigurations, edge cases, and forgotten endpoints.

Here’s where CSRF protections fail in 2025:

  1. SameSite=None without proper CORS rules → Allows cross-origin requests with cookies intact.
  2. CSRF tokens being leaked in API responses → Attackers steal them and forge requests.

--

--

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by Vivek PS

I’m a programmer, web security researcher and chess player, focused on innovation, learning, and creating impactful solutions for growth.

Responses (1)

Write a response