Cross Site Request Forgery

Cross Site Request Forgery (CSRF)

Introduction

Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated

Where to find

Usually found in forms. Try submit the form and check the HTTP request. If the HTTP request does not have a CSRF token then it is likely to be vulnerable to a CSRF attack.

How to exploit

  1. HTML GET Method

<a href="http://www.example.com/api/setusername?username=uname">Click Me</a>

  1. HTML POST Method

<form action="http://www.example.com/api/setusername" enctype="text/plain" method="POST">
 <input name="username" type="hidden" value="uname" />
 <input type="submit" value="Submit Request" />
</form>

  1. JSON GET Method

<script>
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://www.example.com/api/currentuser");
xhr.send();
</script>

  1. JSON POST Method

  1. Multipart request

Bypass CSRF Token

But in some cases, even though there is a CSRF token on the form on the website. CSRF tokens can still be bypassed by doing a few things:

  1. Change single character

Try this to bypass

  1. Sending empty value of token

Try this to bypass

  1. Replace the token with same length

Try this to bypass

  1. Changing POST / GET method

Try this to bypass

  1. Remove the token from request

Try this to bypass

  1. Use another user's valid token

  1. Try to decrypt hash

MTIzNDU2 => 123456 with base64

  1. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic

When we register again, the request like this

If you notice "vi802jg9f8akd9j" part of the token remain same, you just need to send with only static part

PreviousCRLF InjectionNextXSS Cheat Sheet (Basic)

Last updated