Professional Documents
Culture Documents
My Methodology To Beryone, My Name Is Ahmed Farag
My Methodology To Beryone, My Name Is Ahmed Farag
My Methodology To Beryone, My Name Is Ahmed Farag
Open in app
Search
3:29
Hello everyone, my name is Ahmed Farag, and this is my first blog on my journey to
study web application vulnerabilities .i will show my methodology to bypass csrf
with 9 different methods.
https://medium.com/@0x7irix/my-methodology-to-bypass-csrf-957b4e552ae7 1/10
4/9/24, 4:30 AM My methodology to bypass CSRF. Hello everyone, my name is Ahmed Farag… | by 0x7irix | Apr, 2024 | Medium
Cross-site request forgery (also known as CSRF) is a web security vulnerability that
allows an attacker to induce users to perform actions that they do not intend to
perform. It allows an attacker to partly circumvent the same origin policy, which is
designed to prevent different websites from interfering with each other.
An Action : There should be an API call or POST request that an attacker can
take advantage of. The action can be anything like email changing , password
reset , profile update , 2FA enabling etc..
Cookie based Session Handling : The application must rely on the session
cookies to identify which user made the request. There should be no other
protection in place to track user’s request or any kind of protection like asking
secret questions for an update. 3:29
No Token Parameters : The requests that perform the requests do not contain
any parameters which contains values that an attacker cannot guess or brute
force. Example: If you are going to enable 2FA then the application is likely
going to ask you to confirm your password, so in that case the attacker would
not be able to successfully use CSRF because of not knowing the password.
Bypass Method-1
first step scan if the server Only checks the token
check if token is constant for any request i sent it. if token is constant now i can say i
have csrf vulnerability
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
email=test%40test.com&csrf=Yl1zlDXaJsflSqKqBVZtN9bK3MMjyXhN
Bypass Method-2
delete the value of token and send the request if the value of request is Missing CSRF
try to delete the parameter and try to send request again if the respound is 200 or
302 now you have csrf vulnerability
Bypass Method-3
try to change the token and send the request may be the server is not check the
token if any value is found
Bypass Method-4
if the server check to value like csrf and csrfKey if two value are different and the
csrf only stored in cookie we can inject url code to add csrfKey in the victim’s
browser like this
/?search=test%0d%0aSet-Cookie:%20csrfKey=YOUR-KEY%3b%20SameSite=None
https://medium.com/@0x7irix/my-methodology-to-bypass-csrf-957b4e552ae7 3/10
4/9/24, 4:30 AM My methodology to bypass CSRF. Hello everyone, my name is Ahmed Farag… | by 0x7irix | Apr, 2024 | Medium
<html>
<body>
<form action="https://test.com/my-account/change-email" method="POST">
<input type="hidden" name="email" value="irix@irxi.com" />
<input type="hidden" name="csrf" value="irix" />
<input type="submit" value="Submit request" />
</form>
<img src="https://test.com/?search=test%0d%0aSet-Cookie:%20csrfKey=YOUR-KEY
</body>
</html>
Bypass Method-5
try to change the request method
Bypass Method-6
3:29
if you try change the request method and the server is refused that try to overwrite
for this method
change request method and add this in the request on burp
exploit code:
<script>
document.location = "https://test.com/my-account/change-email?email=test@te
</script>
Bypass Method-7
create a new account and try to send request take the token and drop the request
then take the token and add it on another request for different account .
Bypass Method-8
Many Web applications use a Static and Dynamic part CSRF token i.e take the below
example
https://medium.com/@0x7irix/my-methodology-to-bypass-csrf-957b4e552ae7 4/10
4/9/24, 4:30 AM My methodology to bypass CSRF. Hello everyone, my name is Ahmed Farag… | by 0x7irix | Apr, 2024 | Medium
In this CSRF token , the first 20 characters are static i.e they are same for all the
users registered on the Web application and the next 20 characters are dynamic
which means the last 20 characters are different for all the users. So what you can do
is keep the static characters of the CSRF token same and use random text for the
dynamic 20 characters. If the server is accepting the CSRF token then you have
successfully bypass CSRF Protection.
Bypass Method-9
Check for Token randomness and use BURP to automate this randomness test
process and see if the token is weak or not and try to crack it. Remember to also see
if the CSRF token is just a normal hash token like MD5 and if it’s actually a common
algorithm then you can try creating new token using that hash algorithm and
replace the token. Try changing User-Agent to Mobile User agent and see if the
3:29
request is accepted.
Follow
Written by 0x7irix
15 Followers
https://medium.com/@0x7irix/my-methodology-to-bypass-csrf-957b4e552ae7 5/10
4/9/24, 4:30 AM My methodology to bypass CSRF. Hello everyone, my name is Ahmed Farag… | by 0x7irix | Apr, 2024 | Medium
3:29
dynnyd20
353 8
https://medium.com/@0x7irix/my-methodology-to-bypass-csrf-957b4e552ae7 6/10
4/9/24, 4:30 AM My methodology to bypass CSRF. Hello everyone, my name is Ahmed Farag… | by 0x7irix | Apr, 2024 | Medium
153 2
Lists
https://medium.com/@0x7irix/my-methodology-to-bypass-csrf-957b4e552ae7 7/10
4/9/24, 4:30 AM My methodology to bypass CSRF. Hello everyone, my name is Ahmed Farag… | by 0x7irix | Apr, 2024 | Medium
NIKHIL RANE
Hi People, My name is Nikhil Rane. A Bug Bounty Hunter from India. I am doing Bugbounty
hunting from past couple of years. I never tried…
380
Anas H Hmaidy
https://medium.com/@0x7irix/my-methodology-to-bypass-csrf-957b4e552ae7 8/10
4/9/24, 4:30 AM My methodology to bypass CSRF. Hello everyone, my name is Ahmed Farag… | by 0x7irix | Apr, 2024 | Medium
Don’t Trust the Cache: Exposing Web Cache Poisoning and Deception
vulnerabilities
Good Day!
57
3:29
Gilson Oliveira
114
https://medium.com/@0x7irix/my-methodology-to-bypass-csrf-957b4e552ae7 9/10
4/9/24, 4:30 AM My methodology to bypass CSRF. Hello everyone, my name is Ahmed Farag… | by 0x7irix | Apr, 2024 | Medium
rAmpancist
54
https://medium.com/@0x7irix/my-methodology-to-bypass-csrf-957b4e552ae7 10/10