# Cross Site Request Forgery (CSRF)

* [CSRF Bug was fixed by them checking the Origin header value. If it wasn't \*.theirdomain.com it would fail (even origin: null failed) The bypass: Firefox doesn't set the Origin header when iframing data:text/html;base64, thus no check was done = patch bypassed - By "zseano" ](https://twitter.com/zseano/status/1108734794429546497)
* [i'm going to tell you about the coolest CSRF 'bypass' I found (/sarcasm). CSRF token was sent with the POST request. Change to GET and remove the CSRF token => request works. Literally.. that easy.](https://twitter.com/zseano/status/1080538613895565312)
* [If you ever see an action being completed in the URL, without any CSRF token, here's a tip:](https://twitter.com/LooseSecurity/status/1115035885203087360)

  [Check if you can post an image on the website or even set your avatar to a remote URL, then make it the URL of the action. Whoever views the image will execute the action.](https://twitter.com/LooseSecurity/status/1115035885203087360)
* [Try changing POST request method to GET in XSRF attacks with cookies' attribute set to {Samesite: Lax}, since Lax value only applies to POST requests. #bugbounty](https://twitter.com/iamTakeMyHand/status/1118428514640809985)
* [PUT and DELETE CSRF possible under two conditions](https://twitter.com/_jensec/status/1134072475829096448)

  [1) “\_method” parameter. Some frameworks have enabled \_method by default even it’s not necessary to execute the Request (Simply change the PUT and DELETE to POST and pass them in \_method](https://twitter.com/_jensec/status/1134072475829096448)
* [Interesting .. Bypassed the CSRF Protection of a target by setting the token param value to undefined. \_csrf\_token=undefined #bugbountytips](https://twitter.com/a_rrahmani/status/1151516597003198464)
* JSON CSRF - <http://blog.opensecurityresearch.com/2012/02/json-csrf-with-parameter-padding.html>
* <https://twitter.com/SpiderSec/status/1239860710374617088>
* PHP CSRF Protection Bypass : EXPLOIT : csrftoken\[]=\&message=x -> Supply an empty array on the CSRF token parameter. You can find multiple csrf protection frameworks on GitHub which are vulnerable.
* [CSRF tip. You can send 𝐭𝐞𝐱𝐭/𝐩𝐥𝐚𝐢𝐧; 𝐚𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧/𝐣𝐬𝐨𝐧 Content-Type header cross domain without triggering CORS. Backend might think that content type is application/json 😎 #bugbounty](https://twitter.com/0ang3el/status/1055860035392278530?lang=en)

![](https://1889062997-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbWrDBBrbM1WtGeIKRO%2F-MOdo79GHQ3LYTabOwgY%2F-MOdoI3Jqw2r9CdQfkrw%2Fimage.png?alt=media\&token=5f722913-3aaf-47d5-bfe5-0903fd422c7a)

* [This is the shortest alert() XSS payload I know that can be used in a context where it isn't inside any HTML tags or attributes.](https://twitter.com/hakluke/status/1293501513663422464?s=20)

  [\<svg/onload=alert()>](https://twitter.com/hakluke/status/1293501513663422464?s=20)

  [Let me know in the comments if you have a shorter one!](https://twitter.com/hakluke/status/1293501513663422464?s=20)
* [Origin Check bypass for CSRF.](https://twitter.com/D1r3Wolf_/status/1253253055375478785?s=20)
* [Firefox : works Chrome : if server allows `Origin: null`](https://twitter.com/D1r3Wolf_/status/1253253055375478785?s=20)

```
Got the solution :
 <iframe src='data:text/html,<body onload="document.forms[0].submit()"><form action="//redacted.com/api/auth?password=Chang3dd" method="post"></body>'></iframe>
```