# Cross-Site Request Forgery > Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. - OWASP ## Summary * [Methodology](#methodology) * [Payloads](#payloads) ## Methodology ![CSRF_cheatsheet](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/CSRF%20injection/Images/CSRF-Cheatsheet.jpg) ## Payloads ### HTML GET – Requiring User Interaction for Proof-of-Concept ```html Click Me ``` ### HTML GET (No User Interaction) ```html ``` ### HTML POST – Requiring User Interaction for Proof-of-Concept ```html
``` ### HTML POST (AutoSubmit – No User Interaction) ```html ``` ### JSON GET – Simple Request ```html ``` ### JSON POST – Simple Request ```html ``` ### JSON POST – Complex Request ```html ``` ## References - [Cross-Site Request Forgery Cheat Sheet - Alex Lauerman - April 3rd, 2016](https://trustfoundry.net/cross-site-request-forgery-cheat-sheet/) - [Cross-Site Request Forgery (CSRF) - OWASP](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))