Listen to this Post
- Remove the entire token parameter with value/Remove just the value.
- Use any other random but same length token.
- Use any other random (length-1) or (length+1) token.
4. Use attacker’s token in victim’s session.
- Change the method from POST to GET and remove the token.
- If request is made through PUT or DELETE then try POST.
- If token is sent through custom header; try to remove the header.
- Change the Content-Type to application/json, application/x-url-encoded or form-multipart, text/xml, application/xml.
- If double submit token is there (in cookies and some header) then try CRLF injection.
10. Bypassing referrer check:
i. If the referrer header is checked but only when it exists in the request then add this piece of code in your CSRF PoC: <meta name="referrer" content="never">
ii. Regex Referral bypass.
11. CSRF token stealing via XSS/HTMLi/CORS.
12. JSON Based:
i. Change the Content-Type to text/plain, application/x-www-form-urlencoded, multipart/form-data and check if it accepts.
ii. Use flash + 307 redirect.
13. Guessable CSRF token.
14. Clickjacking to strong CSRF token bypass.
15. Type Juggling.
16. Array: [email protected]&csrftoken[]=lol
- Set the CSRF token to “null” or add null bytes.
- Check whether CSRF token is sent over HTTP or sent to 3rd party. See here
- Generate multiple CSRF tokens, observe the static part. Keep it as it is and play with the dynamic part.
Practice Verified Codes and Commands:
- Removing Token Parameter:
curl -X POST http://example.com/api/endpoint -d "param1=value1¶m2=value2"
Changing Method from POST to GET:
curl -X GET http://example.com/api/endpoint?param1=value1¶m2=value2
Changing Content-Type:
curl -X POST http://example.com/api/endpoint -H "Content-Type: application/json" -d '{"param1":"value1","param2":"value2"}'CRLF Injection:
curl -X POST http://example.com/api/endpoint -H "Cookie: csrftoken=value" -d "param1=value1%0D%0ACookie: csrftoken=attacker_token"
Bypassing Referrer Check:
<meta name="referrer" content="never">
CSRF Token Stealing via XSS:
[javascript]
[/javascript]Type Juggling:
curl -X POST http://example.com/api/endpoint -d "param1=value1&csrftoken=null"
What Undercode Say:
Cross-Site Request Forgery (CSRF) is a critical vulnerability that allows attackers to perform unauthorized actions on behalf of a user. Understanding and mitigating CSRF attacks is essential for securing web applications. The techniques listed above provide a comprehensive approach to identifying and exploiting CSRF vulnerabilities. However, it is equally important to implement robust defenses such as using anti-CSRF tokens, validating the origin of requests, and employing SameSite cookies.
In Linux, you can use tools like `curl` and `wget` to simulate CSRF attacks and test your defenses. For example, you can use `curl` to send crafted requests with modified headers and parameters. Additionally, tools like `Burp Suite` and `OWASP ZAP` can automate the process of detecting CSRF vulnerabilities.
On Windows, PowerShell can be used to send HTTP requests and manipulate headers. For instance, you can use the `Invoke-WebRequest` cmdlet to send POST requests with custom headers.
Invoke-WebRequest -Uri http://example.com/api/endpoint -Method POST -Headers @{"Content-Type"="application/json"} -Body '{"param1":"value1","param2":"value2"}'
In conclusion, CSRF attacks remain a significant threat to web applications. By understanding the various bypass techniques and implementing strong security measures, developers can protect their applications from these attacks. Regularly testing your application for CSRF vulnerabilities and staying updated with the latest security practices is crucial for maintaining a secure web environment.
For further reading and advanced techniques, refer to the following resources:
– OWASP CSRF Prevention Cheat Sheet
– PortSwigger CSRF Academy
– CSRF Token Best Practices
References:
Hackers Feeds, Undercode AI
