CSRF – Bypasses

1. Remove the entire token parameter with value/Remove just the value.
2. Use any other random but same length token.
3. Use any other random (length-1) or (length+1) token.

4. Use attacker’s token in victim’s session.

1. Change the method from POST to GET and remove the token.
2. If request is made through PUT or DELETE then try POST
3. If token is sent through custom header; try to remove the header.
4. Change the Content-Type to application/json, application/x-url-encoded or form-multipart, text/xml, application/xml.
5. If double submit token is there (in cookies and some header) then try CRLF injection.

10. Bypassing referrer check:

i. If the referrer header is checked but only when it exists in the request then add this piece of code in your csrf poc: <​meta name="referrer" content="never">

ii. Regex Referral bypass:

11. CSRF token stealing via xss/htmli/cors.

12. JSON Based:

i. Change the Content-Type to text/plain, application/x-www-form-urlencoded, multipart/form-data and check if it accepts.

ii. Use flash + 307 redirect.

13. Guessable CSRF token.

14. Clickjacking to strong CSRF token bypass.

15. Type Juggling.

16. Array: [email protected]&csrftoken[]=lol

1. Set the csrf token to “null” or add null bytes.

Practice Verified Codes and Commands:

<h1>Example of changing Content-Type using curl</h1>

curl -X POST -H "Content-Type: application/json" -d '{"key":"value"}' http://example.com

<h1>Example of CRLF injection</h1>

curl -X POST -H "Cookie: csrftoken=malicious" -H "Custom-Header: value" http://example.com

<h1>Example of using meta tag in HTML for referrer bypass</h1>

echo '<meta name="referrer" content="never">' > csrf_poc.html

<h1>Example of using null bytes in CSRF token</h1>

curl -X POST -d 'csrftoken=\x00' http://example.com

What Undercode Say:

Cross-Site Request Forgery (CSRF) is a critical vulnerability that allows attackers to perform actions on behalf of authenticated users without their consent. The techniques outlined above demonstrate various methods to bypass CSRF protections, which are essential for penetration testers and security researchers to understand.

In Linux, tools like `curl` and `wget` are invaluable for testing these vulnerabilities. For instance, using `curl` to manipulate headers and content types can help simulate different attack scenarios. Additionally, understanding how to inject CRLF characters or manipulate tokens can be crucial in exploiting CSRF vulnerabilities.

On Windows, PowerShell can be used to perform similar tasks. For example, you can use `Invoke-WebRequest` to send custom headers and payloads to test for CSRF vulnerabilities.

Invoke-WebRequest -Uri http://example.com -Method POST -Headers @{"Content-Type"="application/json"} -Body '{"key":"value"}'

Furthermore, understanding how web servers handle different content types and methods (GET, POST, PUT, DELETE) is crucial. Tools like Burp Suite and OWASP ZAP can automate some of these tests, but manual testing with command-line tools provides deeper insights.

For those interested in further reading, OWASP provides comprehensive guides on CSRF and other web vulnerabilities. You can find more information at OWASP CSRF Guide.

In conclusion, mastering CSRF bypass techniques requires a deep understanding of web protocols, headers, and server behaviors. By combining manual testing with automated tools, security professionals can effectively identify and mitigate CSRF vulnerabilities, ensuring the security of web applications.

References:

Hackers Feeds, Undercode AI