Book of BugBounty Tips
Book of BugBounty Tips
Introduction
OSINT
API
Cross Site Request Forgery (CSRF)
Server Side Request Forgery (SSRF)
Sensitive Information Disclosure
Cross Site Scripting (XSS)
CRLF
Remote Code Execution (RCE)
Email Related
Open Redirect
Injection
XXE
LFI / RFI
Clickjacking
Bypasses
Mobile
Tips from @EdOverflow
Tips From @intigriti
Tips fro @YogoshaOfficial
Tips from @Jhaddix
Tips from Ben
Tips from Blog posts
Misc
Bugbounty Related Websites
Twitter Threads
Docker and k8s
Tweets Collection by @Pentesterland
Powered by GitBook

Cross Site Request Forgery (CSRF)

  • ​CSRF Bug was fixed by them checking the Origin header value. If it wasn't *.theirdomain.com it would fail (even origin: null failed) The bypass: Firefox doesn't set the Origin header when iframing data:text/html;base64, thus no check was done = patch bypassed - By "zseano" ​

  • ​i'm going to tell you about the coolest CSRF 'bypass' I found (/sarcasm). CSRF token was sent with the POST request. Change to GET and remove the CSRF token => request works. Literally.. that easy.​

  • ​If you ever see an action being completed in the URL, without any CSRF token, here's a tip:​

    ​Check if you can post an image on the website or even set your avatar to a remote URL, then make it the URL of the action. Whoever views the image will execute the action.​

  • ​Try changing POST request method to GET in XSRF attacks with cookies' attribute set to {Samesite: Lax}, since Lax value only applies to POST requests. #bugbounty​

  • ​PUT and DELETE CSRF possible under two conditions​

    ​1) “_method” parameter. Some frameworks have enabled _method by default even it’s not necessary to execute the Request (Simply change the PUT and DELETE to POST and pass them in _method​

  • ​Interesting .. Bypassed the CSRF Protection of a target by setting the token param value to undefined. _csrf_token=undefined #bugbountytips​

​

Previous
API
Next
Server Side Request Forgery (SSRF)
Last updated 5 months ago