Cross Site Request Forgery (CSRF)

• ​CSRF Bug was fixed by them checking the Origin header value. If it wasn't *.theirdomain.com it would fail (even origin: null failed) The bypass: Firefox doesn't set the Origin header when iframing data:text/html;base64, thus no check was done = patch bypassed - By "zseano" ​

• ​i'm going to tell you about the coolest CSRF 'bypass' I found (/sarcasm). CSRF token was sent with the POST request. Change to GET and remove the CSRF token => request works. Literally.. that easy.​

• ​If you ever see an action being completed in the URL, without any CSRF token, here's a tip:​

  ​Check if you can post an image on the website or even set your avatar to a remote URL, then make it the URL of the action. Whoever views the image will execute the action.​

• ​Try changing POST request method to GET in XSRF attacks with cookies' attribute set to {Samesite: Lax}, since Lax value only applies to POST requests. #bugbounty​

• ​PUT and DELETE CSRF possible under two conditions​

  ​1) “_method” parameter. Some frameworks have enabled _method by default even it’s not necessary to execute the Request (Simply change the PUT and DELETE to POST and pass them in _method​

• ​Interesting .. Bypassed the CSRF Protection of a target by setting the token param value to undefined. _csrf_token=undefined #bugbountytips​

JSON CSRF - http://blog.opensecurityresearch.com/2012/02/json-csrf-with-parameter-padding.html​

• ​https://twitter.com/SpiderSec/status/1239860710374617088​

• PHP CSRF Protection Bypass : EXPLOIT : csrftoken[]=&message=x -> Supply an empty array on the CSRF token parameter. You can find multiple csrf protection frameworks on GitHub which are vulnerable.

• ​CSRF tip. You can send 𝐭𝐞𝐱𝐭/𝐩𝐥𝐚𝐢𝐧; 𝐚𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧/𝐣𝐬𝐨𝐧 Content-Type header cross domain without triggering CORS. Backend might think that content type is application/json 😎 #bugbounty​

​

​