CSRF & Bypasses

What is CSRF?

Cross-Site Request Forgery (CSRF) occurs when an authenticated user is forced to perform unwanted actions on a website. Attackers can trick users into executing actions by using social engineering techniques such as sending deceptive links via email or chat. When a CSRF attack is successful, an attacker can manipulate user actions, potentially compromising the entire web application, especially if the victim has administrative privileges.

How does a CSRF Attack Work?

A typical CSRF attack follows this flow:

The attacker creates a malicious website or sends a link to a user (victim).

The user, while logged in to the vulnerable website, clicks on the link or visits the malicious website.

The malicious website sends a request to the vulnerable website, including the user's cookies and the desired action (e.g., form submission or money transfer).

Unaware that the request is from an attacker, the vulnerable website processes the request and performs the attacker's intended action.

Users often realize they have been attacked only after noticing unexpected changes or transactions on the vulnerable website.

Exploiting CSRF Vulnerabilities

Let's explore some attack scenarios to understand how CSRF attacks work.

Attacking web applications with no CSRF defense:

Attackers often host malicious HTML on websites they control and lure victims to access those websites through email or social media links.

One of the simplest ways to exploit a CSRF vulnerability is by using the GET method through a single URL on the vulnerable website.

In this scenario, let's assume the attacker wants to change the victim's email address to their own.

The attacker creates an HTML page that makes a POST request to the target application.

When the victim visits the page hosted on the attacker's server, it triggers a request to the target application that changes the victim's email address.

Bypassing CSRF Token Validations

CSRF tokens are generated by server-side applications and sent to clients as unique, secret, and unpredictable values. Including the CSRF token when submitting forms or performing sensitive actions from the frontend helps prevent CSRF attacks.

Attackers may attempt to bypass CSRF token validations in various ways:

Changing the request method: Some web applications only apply CSRF defenses to specific request methods. Attackers can bypass validation by changing the request method to GET and launching CSRF attacks.

For example, if the application uses the "csrf" parameter to validate changes to the email address, an attacker can craft a GET request to modify the victim's email address:

Removing the token parameter: Some applications validate the CSRF token correctly when it is present but skip the validation if the token is not included. Attackers can bypass validation by removing the entire token parameter from the request body.

For example, if the application expects a request body with a "csrf" parameter, an attacker can create a CSRF proof of concept by not submitting the "csrf" parameter:

These are just a few examples of CSRF bypass techniques. Attackers may employ various methods to bypass CSRF defenses. It is important to understand these techniques to develop robust web applications and protect against CSRF attacks.

Please note that these examples are for educational purposes only, and engaging in CSRF attacks or bypassing CSRF protections is illegal and unethical.