Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

CSRF allows an attacker to make request on behalf of the user upon visiting the attackers site. This is mitigated by having large and random values called CSRF tokens that are sent with the request. The trick is that the tokens are NOT known by the attacker.

Finding a way to circumvent CSRF tokens commonly leads to account takeovers.

In this case, the CSRF tokens had a specific structure and were validated based upon this structure. --encoded-string--:--encoded-string--:--encoded-string-- with a length validation somewhere in there.

Because of the complicated CSRF token format, a bunch of validation had to be done. This included if the token is session tied, validation of the format itself, was the token cross-account... and other things.

However, if the token had an invalid length an exception occurred that was NOT caught. Because of this lack of exception handling, the token verification passed!

This bug was found by accident when the author of the vulnerability removed the first character on a copy and paste. What does this mean? CSRF tokens are vulnerable to logic bugs just like anything else. Sometimes, messing around with the size, characters or anything else can lead to an unexpected bypass.