CSRF BYPASS
these are additional csrf protection bypasses that may prove helpful during engagements or bug bounty hunting.
NULL VALUE
making the CSRF token a null value may sometimes work because the check may only be looking for the header and may not necessarily validate the token value. as long as the header is provided in the request, the null csrf token may be able to bypass restrictions or protections.
CSRF-Token:RANDOM CSRF TOKEN
Setting the CSRF token value to the same length as the original CSRF token but with a different/random value may also bypass some anti-CSRF protection that validates if the token has a value or equal to the length of the orignal
Real:
CSRF-Token: 9cfffd9e8e78bd68975e295d1b3d3331
Fake:
CSRF-Token: 9cfffl3dj3837dfkj3j387fjcxmfjfd3USING ANOTHER SESSION'S CSRF TOKEN
using the same CSRF token across accounts may work in applications that do not validate if the CSRF token is tied to a specific account or not and only check if the token is algorithmically correct
#step 1: Create two accounts and log into the first account. Generate a request and
# capture the CSRF token. Copy the token's value, for example,
# CSRF-Token=9cfffd9e8e78bd68975e295d1b3d3331.
#step 2: Log into the second account and change the value of CSRF-Token to
# 9cfffd9e8e78bd68975e295d1b3d3331 while issuing the same (or a different)
# request. If the request is issued successfully, we can successfully execute
# CSRF attacks using a token generated through our account that is considered
# valid across multiple accounts.REQUEST METHOD TAMPERING
this anti-CSRF protections bypass requires changing the request method from POST to GET and vice versa
#original application request
POST /change_password
POST body:
new_password=pwned&confirm_new=pwned
#modified application request
GET /change_password?new_password=pwned&confirm_new=pwned
* NOTE: Unexpected requests may be served without the need for a CSRF tokenDELETE THE CSRF TOKEN PARAMETER OR SEND A BLANK TOKEN
not sending a token works fairly often because common application logic mistakes. Applications sometimes only check the token's validity if the token exists or if the token parameter is not blank.
#legitimate requests
POST /change_password
POST body:
new_password=qwerty&csrf_token=9cfffd9e8e78bd68975e295d1b3d3331
#bypass method 1
POST /change_password
POST body:
new_password=qwerty
#bypass method 2
POST /change_password
POST body:
new_password=qwerty&csrf_token=SESSION FIXATION TO CSRF
another defense against csrf is double-submit cookie. this mean that the sent request will contain the same random token both as a cookie and as a request parameter, and the server checks if the two values are equal. If the values are equal, the request is considered legitimate. webapps with this type of defense mechanism probably isn't keeping the valid token on the server-side. the webapp won't have a way of knowing if any token it receives is legitimate and merely checks that the token in the cookie and the token in the request body are the same. If this is the case and a session fixation vulnerability exists, an attacker could perform a successful CSRF attack.
#Steps:
1.Session fixation
2.Execute CSRF with the following request:
POST /change_password
Cookie: CSRF-Token=fixed_token;
POST body:
new_password=pwned&CSRF-Token=fixed_tokenANTI-CSRF PROTECTION VIA THE REFERRER HEADER
If an application is using the referrer header as an anti-CSRF mechanism, adversaries can try removing the referrer header.
# Add the following meta tag to your page hosting your CSRF script.
<meta name="referrer" content="no-referrer"BYPASS THE REGEX
this protection method is implemented by sites where the Referrer has a whitelist regex or a regex that allows one specific domain. suppose that the Referrer Header is checking for google.com. adversaries could try something like www.google.com.pwned.m3, which may bypass the regex! If it uses its own domain (target.com) as a whitelist, try using the target domain as follows www.target.com.pwned.m3
#other domains that could be used...
www.pwned.m3?www.target.com or www.pwned.m3/www.target.comLast updated