CSRF Bypasses:
1. Check if there is any CSRF token in request, if yes, remove token and send request, is it bypassed? Modify the CSRF token to any other CSRF token, Check if CSRF token is matched with any cookie token, if yes, you can bypass this.
1. Check if there is any CSRF token in request, if yes, remove token and send request, is it bypassed? Modify the CSRF token to any other CSRF token, Check if CSRF token is matched with any cookie token, if yes, you can bypass this.
2. You are seeing no CSRF token? Don't be overexcited.
3. There can be origin check on server side, This CSRF protection is done using CORS policy.
4. Origin is always send by the browser, you can't modify or send your own Origin by XMLHttpRequest or Fetch API.
3. There can be origin check on server side, This CSRF protection is done using CORS policy.
4. Origin is always send by the browser, you can't modify or send your own Origin by XMLHttpRequest or Fetch API.
5. Change the origin in Burp to null, and see what response you are getting in Access-Control-Allow-Origin: header.
6. Change the origin to your attacker domain and again see the above response header, does it contain your domain or * as response. Congo, you can bypass this.
6. Change the origin to your attacker domain and again see the above response header, does it contain your domain or * as response. Congo, you can bypass this.
7. If response is having * as value, browser will not send cookie with your request, so you can only send unauthenticated request.
8. Does server check for "referer" header? Bypass it by having this in html:
<meta name="referrer" content="no-referrer">
developer.mozilla.org/en-US/docs/Web…
8. Does server check for "referer" header? Bypass it by having this in html:
<meta name="referrer" content="no-referrer">
developer.mozilla.org/en-US/docs/Web…
