Cross-site request forgery, also known as CSRF, is a type of attack that occurs when an attacker tricks the victim's web browser into sending an authenticated HTTP request to a vulnerable web application, thereby executing a state-changing operation without the victim's consent. It has been regarded as one of the top 10 web application security risks and the top 25 software security weaknesses for a long period of time since its discovery in the early part of the 2000s. In recent years, the detection of CSRF vulnerabilities in web applications has gained increasing attention due to the upward trend in the number of CSRF vulnerabilities. Since existing approaches still have room for improvement in terms of their performance of the detection of potential CSRF vulnerabilities in web applications adopting the synchronizer token pattern technique, the cookie-to-header token technique, and/or the double submit cookie technique as token-based CSRF protection, we proposed a traffic-analysis approach being simultaneously automatic, black-box, passive, and language-independent to improve them that is proven with the experimental evidence.