Two forms - one protected, one not. A forged cross-origin POST to the unprotected endpoint succeeds. Your goal is to find which one.
Cross-Site Request Forgery tricks an authenticated user into submitting a request they did not intend. Without CSRF protection, a malicious page can silently perform actions on behalf of a logged-in user - updating their profile, deleting their card, or changing their password.
| True Positive | Protected form correctly validates the CSRF token - forged request would be rejected |
| Bug Found | Unprotected delete form accepts a POST with no CSRF token at all |
This form includes Django's CSRF token. Submit it normally, then try forging a request without the token.
✓ CSRF ProtectedThis delete endpoint has no CSRF protection. Send a POST with no token and observe the result.
✗ No CSRF ProtectionSubmit with Token on Form A - valid CSRF token present, update succeeds (true negative)Forge Request (no token) on Form A - no token sent, Django returns 403 (true positive)Send Tampered Token on Form A - fake token value sent, Django returns 403 (true positive)Send Delete Request (no token) on Form B - no token needed, request succeeds (bug found)GET /csrf/delete/ on Form B - GET on a write endpoint should return 405 (true positive)