Does CSRF work when the target site is not open on a tab?
When you log in to example.com
, your browser stores a session token in a cookie. This session token uniquely identifies your logged-in session with example.com
. Every time your browser makes any request to example.com
, that request includes your example.com
cookie data, including your unique session token.
With that in mind, consider the fact that a Web page can make your browser attempt to fetch any resource on the Web, e.g., through <img>
or <iframe>
tags. If a page includes a tag that asks your browser to fetch a page from example.com
, the fetch will include your session info. The request is done in the context of your logged-in session (i.e., the fetch is being done as your logged-in example.com
user account).
If the fetch of the example.com
resource causes some action, then you (and the site) have fallen victim to a CSRF attack.
To answer your question directly: no, you do not need to have an example.com
page open; you only need to have a valid example.com
session token in your cookies.
The victim does not need to have that site open.
The victim has a cookie that authenticates him to example.com
; when the victim's browser requests the URL in the img tag, it will send the example.com
cookie in the header to the request.
In viewing this answer, your browser has made a request to wikimedia.org
, regardless of whether you are separately browsing that site or not:
It's the same principle at work in the OWASP example, but rather than an image, you're carrying out some (authenticated) action on example.org
.