Learn CSRF With Some Bypass Method
August 21, 2022
What Is CSRF?
Cross site Request Forgery (CSRF) also known as XSRF, Sea Surf or Session Riding is an attack vector that tricks a web browser into executing an unwanted action in an application to which a user is logged in.
A successful CSRF attack can be devastating for both the business and user. It can result in damaged client relationships, unauthorized fund transfers, changed passwords and data theft-including stolen session cookies.
CSRF's are typically conducted using malicious social engineering, such as an email or link that tricks the victim into sending a forged request to a server. As the unsuspecting user is authenticated by their application at the time of the attack, it’s impossible to distinguish a legitimate request from a forged one.
Some Bypass Methods!
1. Change Request Method.
Another thing worth trying is changing the request method of the request. If the sensitive request that you would like to forge is sent via the POST method, try converting the request to a GET request. And if the action is done via a GET try converting it into a POST. The application might still execute the action and the same protection mechanism is often not in place.
For example, this request:
POST /change_password
POST body:
new_password=qwerty
Can be rewritten as:
GET /change_password?new_password=qwerty
2. Delete The Token Parameter Or Send A Blank Token.
Not sending a token works fairly often because of this common application logic mistake: applications sometimes only check the validity of the token if the token exists, or if the token parameter is not blank. In this case, sending a request without the token, or a blank value as the token may be all you need to bypass the protection.
For example, if a legitimate request looks like this:
POST /change_password
POST body:
new_password=qwerty &csrf_tok=871caef0757a4ac9691aceb9aad8b65b
Try this:
POST /change_password
POST body:
new_password=qwerty
Or, this:
POST /change_password
POST body:
new_password=qwerty &csrf_tok=
Or you can try with a Unused valid token by dropping the request and use that token.
3. Remove The Referer Header.
Similar to sending a blank token, sometimes all you need to do to bypass a referer check is to simply not send a referer. To do this, you can add the following meta tag to the page hosting your payload:
<meta name="referrer" content="no-referrer">
The application might only be validating the referer if one is sent, in that case, you’ve successfully bypassed its CSRF protection!
3. Bypass The Regex.
If the referer check is based on a whitelist, you can try bypassing the Regex used to validate the URL. For example, you can try placing victim domain name in referer URL as a subdomain or as a directory:
If the site is looking for "bank.com" in the referer URL, maybe "bank.com.attacker.com" or "attacker.com/bank.com" will work.
4. Decoding CSRF Tokens.
Another method to bypass CSRF is to identify the algorithm of the CSRF token. In my experience CSRF tokens are either MD5 or Base64 encoded values. You can decode that value and encode the next one in that algorithm and use that token. For instance "a0a080f42e6f13b3a2df133f073095dd" is MD5(122). You can similarly encrypt the next value MD5(123) to for CSRF token bypass.
5. Switch Form Non-Form.
Switch The Form Type
Content-Type: application/json
Or
Content-Type: application/x-url-encoded
To
Content-Type: form-multipart
Reference