# Cross Site Request Forgery (CSRF)

* [CSRF Bug was fixed by them checking the Origin header value. If it wasn't \*.theirdomain.com it would fail (even origin: null failed) The bypass: Firefox doesn't set the Origin header when iframing data:text/html;base64, thus no check was done = patch bypassed - By "zseano" ](https://twitter.com/zseano/status/1108734794429546497)
* [i'm going to tell you about the coolest CSRF 'bypass' I found (/sarcasm). CSRF token was sent with the POST request. Change to GET and remove the CSRF token => request works. Literally.. that easy.](https://twitter.com/zseano/status/1080538613895565312)
* [If you ever see an action being completed in the URL, without any CSRF token, here's a tip:](https://twitter.com/LooseSecurity/status/1115035885203087360)

  [Check if you can post an image on the website or even set your avatar to a remote URL, then make it the URL of the action. Whoever views the image will execute the action.](https://twitter.com/LooseSecurity/status/1115035885203087360)
* [Try changing POST request method to GET in XSRF attacks with cookies' attribute set to {Samesite: Lax}, since Lax value only applies to POST requests. #bugbounty](https://twitter.com/iamTakeMyHand/status/1118428514640809985)
* [PUT and DELETE CSRF possible under two conditions](https://twitter.com/_jensec/status/1134072475829096448)

  [1) “\_method” parameter. Some frameworks have enabled \_method by default even it’s not necessary to execute the Request (Simply change the PUT and DELETE to POST and pass them in \_method](https://twitter.com/_jensec/status/1134072475829096448)
* [Interesting .. Bypassed the CSRF Protection of a target by setting the token param value to undefined. \_csrf\_token=undefined #bugbountytips](https://twitter.com/a_rrahmani/status/1151516597003198464)
* JSON CSRF - <http://blog.opensecurityresearch.com/2012/02/json-csrf-with-parameter-padding.html>
* <https://twitter.com/SpiderSec/status/1239860710374617088>
* PHP CSRF Protection Bypass : EXPLOIT : csrftoken\[]=\&message=x -> Supply an empty array on the CSRF token parameter. You can find multiple csrf protection frameworks on GitHub which are vulnerable.
* [CSRF tip. You can send 𝐭𝐞𝐱𝐭/𝐩𝐥𝐚𝐢𝐧; 𝐚𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧/𝐣𝐬𝐨𝐧 Content-Type header cross domain without triggering CORS. Backend might think that content type is application/json 😎 #bugbounty](https://twitter.com/0ang3el/status/1055860035392278530?lang=en)

![](/files/-MOdoI3Jqw2r9CdQfkrw)

* [This is the shortest alert() XSS payload I know that can be used in a context where it isn't inside any HTML tags or attributes.](https://twitter.com/hakluke/status/1293501513663422464?s=20)

  [\<svg/onload=alert()>](https://twitter.com/hakluke/status/1293501513663422464?s=20)

  [Let me know in the comments if you have a shorter one!](https://twitter.com/hakluke/status/1293501513663422464?s=20)
* [Origin Check bypass for CSRF.](https://twitter.com/D1r3Wolf_/status/1253253055375478785?s=20)
* [Firefox : works Chrome : if server allows `Origin: null`](https://twitter.com/D1r3Wolf_/status/1253253055375478785?s=20)

```
Got the solution :
 <iframe src='data:text/html,<body onload="document.forms[0].submit()"><form action="//redacted.com/api/auth?password=Chang3dd" method="post"></body>'></iframe>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gowsundar.gitbook.io/book-of-bugbounty-tips/untitled.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.