Cross Site Request Forgery (CSRF)

• CSRF Bug was fixed by them checking the Origin header value. If it wasn't *.theirdomain.com it would fail (even origin: null failed) The bypass: Firefox doesn't set the Origin header when iframing data:text/html;base64, thus no check was done = patch bypassed - By "zseano"

• i'm going to tell you about the coolest CSRF 'bypass' I found (/sarcasm). CSRF token was sent with the POST request. Change to GET and remove the CSRF token => request works. Literally.. that easy.

• If you ever see an action being completed in the URL, without any CSRF token, here's a tip:

  Check if you can post an image on the website or even set your avatar to a remote URL, then make it the URL of the action. Whoever views the image will execute the action.

• Try changing POST request method to GET in XSRF attacks with cookies' attribute set to {Samesite: Lax}, since Lax value only applies to POST requests. #bugbounty

• PUT and DELETE CSRF possible under two conditions

  1) “_method” parameter. Some frameworks have enabled _method by default even it’s not necessary to execute the Request (Simply change the PUT and DELETE to POST and pass them in _method

• Interesting .. Bypassed the CSRF Protection of a target by setting the token param value to undefined. _csrf_token=undefined #bugbountytips

• JSON CSRF - http://blog.opensecurityresearch.com/2012/02/json-csrf-with-parameter-padding.html

• https://twitter.com/SpiderSec/status/1239860710374617088

• PHP CSRF Protection Bypass : EXPLOIT : csrftoken[]=&message=x -> Supply an empty array on the CSRF token parameter. You can find multiple csrf protection frameworks on GitHub which are vulnerable.

• CSRF tip. You can send 𝐭𝐞𝐱𝐭/𝐩𝐥𝐚𝐢𝐧; 𝐚𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧/𝐣𝐬𝐨𝐧 Content-Type header cross domain without triggering CORS. Backend might think that content type is application/json 😎 #bugbounty

• This is the shortest alert() XSS payload I know that can be used in a context where it isn't inside any HTML tags or attributes.

  <svg/onload=alert()>

  Let me know in the comments if you have a shorter one!

• Origin Check bypass for CSRF.

• Firefox : works Chrome : if server allows Origin: null

Got the solution :
 <iframe src='data:text/html,<body onload="document.forms[0].submit()"><form action="//redacted.com/api/auth?password=Chang3dd" method="post"></body>'></iframe>