Cross Site Request Forgery (CSRF)

​CSRF Bug was fixed by them checking the Origin header value. If it wasn't *.theirdomain.com it would fail (even origin: null failed) The bypass: Firefox doesn't set the Origin header when iframing data:text/html;base64, thus no check was done = patch bypassed - By "zseano" ​
​i'm going to tell you about the coolest CSRF 'bypass' I found (/sarcasm). CSRF token was sent with the POST request. Change to GET and remove the CSRF token => request works. Literally.. that easy.​
​If you ever see an action being completed in the URL, without any CSRF token, here's a tip:​
​Check if you can post an image on the website or even set your avatar to a remote URL, then make it the URL of the action. Whoever views the image will execute the action.​
​Try changing POST request method to GET in XSRF attacks with cookies' attribute set to {Samesite: Lax}, since Lax value only applies to POST requests. #bugbounty​
​PUT and DELETE CSRF possible under two conditions​
​1) “_method” parameter. Some frameworks have enabled _method by default even it’s not necessary to execute the Request (Simply change the PUT and DELETE to POST and pass them in _method​
​Interesting .. Bypassed the CSRF Protection of a target by setting the token param value to undefined. _csrf_token=undefined #bugbountytips​
JSON CSRF - http://blog.opensecurityresearch.com/2012/02/json-csrf-with-parameter-padding.html​
​https://twitter.com/SpiderSec/status/1239860710374617088​
PHP CSRF Protection Bypass : EXPLOIT : csrftoken[]=&message=x -> Supply an empty array on the CSRF token parameter. You can find multiple csrf protection frameworks on GitHub which are vulnerable.
​CSRF tip. You can send 𝐭𝐞𝐱𝐭/𝐩𝐥𝐚𝐢𝐧; 𝐚𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧/𝐣𝐬𝐨𝐧 Content-Type header cross domain without triggering CORS. Backend might think that content type is application/json 😎 #bugbounty​
​
​
​This is the shortest alert() XSS payload I know that can be used in a context where it isn't inside any HTML tags or attributes.​
​<svg/onload=alert()>​
​Let me know in the comments if you have a shorter one!​
​Origin Check bypass for CSRF.​
​Firefox : works Chrome : if server allows Origin: null​
Got the solution :
 <iframe src='data:text/html,<body onload="document.forms[0].submit()"><form action="//redacted.com/api/auth?password=Chang3dd" method="post"></body>'></iframe>
​
​
API
Server Side Request Forgery (SSRF)
Last modified 1yr ago