What is CSRF?
Cross site request forgery is a web application vulnerability in which the attacker instigates the victim to perform actions which are not intended to perform.
The impact of such vulnerability can be very critical as the attacker could be able to change the email or password of the account or even make funds transfer. Depending on the type attack the attacker can gain full access of victim’s account.
To prevent such attacks many web applications use various protections to avoid csrf attacks but sometimes many web applications fails as there are ways you can bypass those protections and successfully perform csrf attack. So here are are some of the methods which can help you bypass csrf protections and can also make you earn big bounties.
1. Using CSRF token of other accounts
This can considered as simplest csrf bypass if the web application is not validating that the csrf token is bind to a particular account or not and only checks the algorithm. To test this:
(i) Login to a web application with account A
(ii) Head over to it’s password change option
(iii) Capture the csrf token through burp suite
(iv) Logout and login with account B
(v) Go to password change option and intercept the request
(vi) Now replace the csrf token
2. Replace value with same length
Another technique is to find length of the token for example if it is an alphanumeric token of 32 characters then under the variable authenticity_token replace the same variable with some other 32 character value. For example if the token is ab017ab103243212413124 replace it with the same token value.
3. Removing the CSRF token completely
This is a very common technique which works on almost every functionality in which the token is removed entirely. To test this intercept the request in burp suite and remove the token and check that if the the request is being processed or not if yes then you have successfully bypassed csrf protection.
4. Decoding of CSRF token
In this method you have to identify the algorithm of the CSRF token. In most of the web applications CSRF tokens are either MD5 or Base64 encoded values. To test this decode the value of the csrf token and encode the next one in that algorithm. For example “2b24d495052a8ce66358eb576b8912c8” is MD5 (145). You can similarly encrypt the next value to MD5 (243) for CSRF token bypass.
5. Extraction of token through HTML injection
This technique involves HTML injection security flaw using which the attacker can drop a logger to draw csrf token from the web page and utilize that token.
6. Usage of only static part of the token
The csrf token includes two parts- static and dynamic. For example there are two csrf tokens tester641467h2424242 and tester6414abcde077d. If you use the static part of the token as tester6414 then you are able to use that token.