天宮の塔
285 words
1 minute
Cross Site Request Forgery
Web vulnerability that allows the attacker to induce the end user to perform unwanted actions. This vulnerability allows the attacker to partially bypass the same-origin policy (SOP), which prevents different websites from interfering with each other.
Example email exchange: https://sitevulneravel.com/email/trocar?email=ownado@evil.net
Impact: The impact of this vulnerability will depend on the context but, if successful, the attacker will cause the victim to carry out actions unintentionally.
Conditions in an useful CSRF
1. Revelant action (CSRF in logout is a meme fr)2. Cookie-based session handling (be aware about JWT)3. No unpredictable request parameters (if an attacker needs to know the value of the parameter, bye)How to find
- Remove CSRF token from request, replace with random value or blank space- Change POST to GET- Replace CSRF token with an already used token- Bypass regex- Get a token by request and call manually- Extract the token with XSS or HTML injectionSome bypass
CSRF tokens:- Change HTTP request's methods- Remove the entire token parameter- Use a valid token and feed that token to the victim- Try to find any behavior that allows to set a cookie in a victim's browser- Try to find any functionality that contains cookie's setting's
SameSite cookies:- If the value is `SameSite=None` it's worth investigating whether it's of any use- Lax bypass via method override/http verb tampering- Strict bypass via on-site gadget (like CSPT + OPEN REDIRECT to CSRF action)How to prevent CSRF
. Use CSRF tokens. Use Strict or Lax SameSite cookie restrictions. Be wary of cross-origin, same-site attacksYoutube
Resources
Cross Site Request Forgery
https://pad1ryoshi.github.io/posts/csrf/