Cross-Site Request Forgery (CSRF)¶
What is CSRF?¶
This vulnerability refers to an attack against authenticated web applications using cookies. The attacker is able to trick the victim into making a request that the victim did not intend to make.
CSRF Bypass¶
-
Change Request Method [POST => GET]
-
Decoding CSRF tokens
-
Extracting token via HTML injection
-
Using only the static parts of the token
-
Try to remove the referer header
-
There might be hotlinking preset so try to bypass it
-
Remove Total Token Parameter
-
Remove The Token, And Give a Blank Parameter
-
Copy a Unused Valid Token , By Dropping The Request and Use That Token
-
Use Own CSRF Token To Feed it to Victim
-
Replace Value With Of A Token of Same Length
-
Reverse Engineer The Token
-
Extract Token via HTML injection
-
Switch From Non-Form
Content-Type: application/jsonorContent-Type: application/x-url-encodedToContent-Type: form-multipart -
Bypass the regex
If the site is looking for “bank.com” in the referer URL, maybe “bank.com.attacker.com” or “attacker.com/bank.com” will work.
-
Remove the referer header (add this in your payload or html code)
-
Bypass referrer header protection
<meta name="referrer" content="no-referrer">
If whitelisting present. try these following things.
victim.com.attacker.com, attacker.com/victim.com
- Clickjacking
(If you aren’t familiar with clickjacking attacks, more information can be found https://owasp.org/www-community/attacks/Clickjacking.)
Exploiting clickjacking on the same endpoint bypasses all CSRF protection. Because technically, the request is indeed originating from the legitimate site. If the page where the vulnerable endpoint is located on is vulnerable to clickjacking, all CSRF protection will be rendered irrelevant and you will be able to achieve the same results as a CSRF attack on the endpoint, albeit with a bit more effort.
MindMap¶
Tools¶
https://github.com/0xInfection/XSRFProbe
https://github.com/PortSwigger/csrf-scanner
