⭐CSRF
Here are some good techniques for finding CSRF
- Create a dummy user account in the target site which you need to test! 
- Verify your mail address if it asks for verification. 
- Go to your profile/account settings. 
- Look for some sensitive forms like “Billing address”, “Change Username”, “Change Password”, “Add Bio”, “Delete profile” etc.. 
- Try changing the default values on those forms and submit the form., 
- Capture the request in BurpSuite. 
- Check if any CSRF token is present or not! That is , in some websites they use CSRF/Form tokens while sending the request. Those tokens are random string of characters which changes each time when the website loads. It is a mitigation measure against CSRF attacks. 
- If Token is not present then the site may be vulnerable to CSRF. 
- Now you are good to go, send the request to repeater and drop the request. 
- Go to repeater tab send the request. If you got 200 response , try one more time , but this time just change any value in the request and send the request. 
- Go to your profile and check that the value you sent via burp repeater gets updated in your profile. If it gets updated, then it is vulnerable. 
- Now build a sample exploit by creating an example attacker webpage 
- Sample exploit webpage should contain the same form but the “action” parameter should be equal to “http://target.com/csrf_vulnerable.php” and all the form input fields shoulb be “hidden”. Sample Exploit WebPage Code will be available here : Exploit_page_code , the exploit is meant to add arbitary billing address into the victim profile after 10 seconds since the victim opens the webpage. I found a CSRF bug in a website and used the same exploit for the PoC. Note : I changed the domain name to “example.com” . 
Some Tips to bypass CSRF tokens
- Check the CSRF token and identify the parameter name, if it is a hash like md5 , sha1 , sha256 etc., try cracking the hash. If you are successfully able to crack the hash and the cracked value is something predictable like numbers, then you can bypass it by predicting the CSRF token value ; hash it using the same algorithm ; add it into the malicious webpage/request 
- Try removing the token value and parameter from the request and see that the request actually made any changes in the profile, if yes then you can bypass it. 
- Try adding your own custom / random string into the token parameter replacing the original token. It’s length should be equal to the original token 
- Try using the old tokens in the new request 
- Try Converting POST request to GET request , remove CSRF token and send the request. 
- Try removing anti CSRF headers from the request. 
Last updated