Request Forgery

Info

ID: AT-PE003
Tactic: Payload Execution
Sub-techniques: CSRF, JNDI Injection, SSRF, Serialized Data External Linking

Request Forgery

Adversaries may craft requests that cause the application or an associated service to perform actions on their behalf. Techniques like Server-Side Request Forgery (SSRF) can trick the system into calling internal endpoints, while Cross-Site Request Forgery (CSRF) exploits a user’s active session to execute unintended commands. Additionally, forging requests to external services - like JNDI injection - can load remote classes or direct the victim environment to retrieve malicious code.

Because many cloud workloads rely on ephemeral service tokens and assume trust in certain internal routes, request forgery can pivot an attacker from a superficial vantage to more privileged positions. This technique often pairs with insecure access controls or incomplete input validation, letting attackers bypass segmentation or access data typically restricted to internal processes. Request forgery is particularly damaging when combined with application features that automatically process or store fetched data.