What type of attack does CSRF qualify as?

Cross-Site Request Forgery (CSRF) is categorized as a session hijacking attack. In CSRF, an attacker tricks a victim into unknowingly submitting a request to a web application where they are authenticated, effectively making the request with the victim's credentials or session. This manipulation occurs without the victim's consent, leading to actions being executed in the context of their active session, hence "hijacking" their session to perform unauthorized actions.

Understanding CSRF’s nature as a session hijacking attack is critical in web security. It exploits the trust that a site has in an authenticated user rather than directly targeting the user's data, unlike a data breach. While data breaches focus on unauthorized access to sensitive data, unauthorized access attacks typically involve gaining entry to a system or network without permission but do not necessarily involve exploiting an existing authenticated session. Similarly, injection attacks involve inserting malicious code into an application, which is a different vector than what CSRF employs. Therefore, recognizing CSRF as a session hijacking attack clarifies its mechanisms and highlights the importance of implementing anti-CSRF measures, like token validation, to protect against such vulnerabilities.