Interactive, **safe** CSRF training: tokens, SameSite, Origin/Referer checks, and simulated attacker attempts. No real network requests — all simulated locally.
Simulated Server: Demo Bank
CSRF token (server-issued)
—
Simulate cookie SameSite
Server-side checks
Notes: With Token simulates a form submission carrying the server token cookie & token field. Without Token simulates a forged request. Change SameSite and header checks to see when requests succeed.
Audit / Email History
Activity Log
Simulation Output
No actions yet. Use the buttons above to simulate requests.
This UI only simulates behavior for teaching — no network calls or security risk.
How it works (brief)
Server "issues" a CSRF token displayed above (you may hide it — tokens should be secret).
Send (With Token) simulates a legitimate form POST including the token and cookie set by the server.
Send (Without Token) simulates a forged request from another site (no token). Server rules (SameSite, Origin, Referer, token check) determine accept/reject.
Simulate Attack auto-sends a forged request and shows detection/rejection logic.