CSRF Bug was fixed by them checking the Origin header value. If it wasn't *.theirdomain.com it would fail (even origin: null failed) The bypass: Firefox doesn't set the Origin header when iframing data:text/html;base64, thus no check was done = patch bypassed - By "zseano"
i'm going to tell you about the coolest CSRF 'bypass' I found (/sarcasm). CSRF token was sent with the POST request. Change to GET and remove the CSRF token => request works. Literally.. that easy.
If you ever see an action being completed in the URL, without any CSRF token, here's a tip:
Check if you can post an image on the website or even set your avatar to a remote URL, then make it the URL of the action. Whoever views the image will execute the action.
Try changing POST request method to GET in XSRF attacks with cookies' attribute set to {Samesite: Lax}, since Lax value only applies to POST requests. #bugbounty
PUT and DELETE CSRF possible under two conditions
1) “_method” parameter. Some frameworks have enabled _method by default even it’s not necessary to execute the Request (Simply change the PUT and DELETE to POST and pass them in _method
Interesting .. Bypassed the CSRF Protection of a target by setting the token param value to undefined. _csrf_token=undefined #bugbountytips
