Case Study: CSRF Vulnerability in Banking App

Background

A private bank's online portal allowed users to transfer funds using a single-click form submission. The client wanted us to review transaction flows for potential business logic and session-related flaws.

Vulnerability

Our team discovered that the funds transfer endpoint was vulnerable to Cross-Site Request Forgery (CSRF). The endpoint lacked anti-CSRF tokens and accepted unauthenticated POST requests with predefined parameters.

Exploitation Flow

• User is logged in to online banking
• Attacker sends a crafted phishing link or auto-submitting form
• Funds are transferred to attacker's account without user interaction

Proof-of-Concept

We crafted an HTML page with a hidden auto-submitting form that silently triggered a funds transfer upon the user visiting the page.

<form action="https://bank.com/transfer" method="POST">
    <input type="hidden" name="to_acc" value="9876543210" />
    <input type="hidden" name="amount" value="10000" />
</form>
<script>document.forms[0].submit();</script>

Remediation

• CSRF tokens were implemented in all sensitive state-changing endpoints
• SameSite cookie flag set to Strict
• Referrer and Origin checks added at backend

Outcome

No real user was affected during the test. The vulnerability was fixed in 24 hours. Banking leadership appreciated our proactive detection, avoiding financial fraud and legal risks.