About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

CSRF Protection Bypass to Account Takeover- 209

Harsh Bothra Posted 5 Years Ago
  • Cross-Site Request Forgery (CSRF) is a vulnerability that allows for a legitimate request to be made from another website (attacker) to the actual website, causing a state changing action.
  • CSRF is typically mitigated with very long and random values called CSRF Tokens , making CSRF impossible because this value is known to the attacker.
  • However, so many things can go wrong with these tokens. Here's a list from the article to check for:
    • Remove Anti-CSRF Token
    • Spoof Anti-CSRF Token by Changing a few bits
    • Using Same Anti-CSRF Token (from other account)
    • Weak Cryptography to generate Anti-CSRF Token
    • Stealing Token with other attacks such as XSS.
    • Converting POST Request to GET Request to bypass the CSRF Token Check.
  • This this article, the attacker just changes the request from a POST to a GET. The endpoint simply works still! Now, the CSRF check has been bypassed entirely!
  • Now, for the account takeover... to change a password, you must know your current password. However, simple removing this field from the request allows still works. Pair the CSRF and this bug and you have a CSRF account takeover.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed