Share this page!

Lohitaksh Nandan Profile picture
Twitter logo
Jan 24 β€’ 7 tweets β€’ 3 min read
10 Ways to Bypass CSRF Defense Mechanism

A Thread 🧡
#bugbounty #bugbountytips #cybersecurity
1. Change GET request to POST request, and vice versa.

2. Remove the CSRF token and send the request and check whether the application is accepting the request without the token.And also send empty parameter and check.
3. Change some part of the token and check, First part of the token is static(same for all users), second part is dynamic(different for all users) for some applications, Use random value in dynamic part.
4. Check whether the token is tied to user session or not, if not u can exploit.

5. Check CSRF token is tied to CSRF cookie,u can do that by 1-Submiting invalid CSRF token and check 2-Submiting a valid CSRF token from another user and check.
6. Try to guess the CSRF token, some applications use guessable CSRF token like base64.

7. Check whether token is tied to a non-session cookie, if not u can exploit it.

8. Remove the referer header and check.
9. And also check which portion of the referer Header is the application validating. And manipulate that portion.
10. Use a session fixation technique to make the victim's browser store whatever the value u choose as the CSRF token cookie, then execute CSRF with the same CSRF token that you choose as a cookie.

#bugbounty #bugbountytips #cybersecurity #hacking

β€’ β€’ β€’

Missing some Tweet in this thread? You can try to force a refresh
γ€€

Keep Current with Lohitaksh Nandan

Lohitaksh Nandan Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @NandanLohitaksh

Lohitaksh Nandan Profile picture
Jan 14
Interested in learning iOS Penetration Testing?
Here is how you can start πŸ‘‡πŸ§΅

#bugbounty #bugbountytips #cybersecurity #hacking
Requirements:
- Mac (Intel/M1/M2) Or Mobexler virtual machine (Apple proprietary tools not available)
- Jailbroken iPhone Or Corellium virtual iOS device
Starting iOS App Pentest:
- Reverse engineer the IPA to check for hardcoded secrets, sensitive info etc. (Book Ref: amazon.com/Mobile-App-Rev…)
- Run MobSF static analysis, review the findings and manually validate the interesting points
Read 6 tweets
Lohitaksh Nandan Profile picture
Jan 13
What is a Blockchain?

It's a growing list of records (blocks)

The Blocks are linked together using cryptography.

It's described as a data storage:
- trustless
- fully decentralized
- peer-to-peer
- immutable

It's spread over a network of participants (nodes)

#blockchain
Β· Blocks

They contain:
- a cryptographic hash of the previous one.
- a timestamp + transaction data.

The timestamp proves that the transaction data existed when the block was published in order to get into its hash.

The blocks form a chain (hence the name).
Β· Resistance to modification

The recorded data in a block cannot be altered without altering all subsequent blocks

They are ban be managed by a p2p network for use as a publicly distributed ledger

Nodes adhere to a protocol to communicate/validate new blocks.
Read 9 tweets
Lohitaksh Nandan Profile picture
Jan 6
WANT TO LAND YOUR FIRST CYBERSECURITY JOB...??

#cybersecurity #infosec #bugbounty #hacking
1. BUILD THE FOUNDATION

Make sure you have a strong
foundation of knowledge and
skills. As a beginner focus on
improving your knowledge day
today and stay up-to-date on the
latest attacks, trends, and technologies in this field.
2. NETWORKING

Networking is a key to every
domain of IT. Attend industry
events, and connect with other
cybersecurity professionals to
build your network and maintain
a good contact.
Read 6 tweets
Lohitaksh Nandan Profile picture
Dec 21, 2022
If you're starting out and your choice is Pentester/Red Teamer, here is another plan for you πŸ‘‡πŸ§΅

#cybersecurity #infosec #hacking
- Do Penetration student course from @ine or Practical Ethical Hacking course from @TCMSecurity
- Learn OWASP top 10
- Go through the Web Security Academy from @PortSwigger (Burp Suite is one of the main tools for Web Pentest and it has a community edition)
- Practice your knowledge using vulnerable apps, like Webgoat, Juice Shop, @hackthebox_eu, @RealTryHackMe, @VulnHub and others. There are so many
Read 7 tweets
Lohitaksh Nandan Profile picture
Dec 6, 2022
Breaking into cybersecurity?
Here’s 15 FREE Interview prep resources!

These videos / guides will help you to smash your next interview!

Top 30 Penetration Tester Interview Questions / Answers
lnkd.in/eAkvQFZG

#cybersecurity #infosec #hacking
Cyber Security Interview Prep
lnkd.in/eky9v_hC

SOC Analyst Interview Questions (LetsDefend)
lnkd.in/eqFPGS-Z

GRC Entry-Level Interview Q&A (Gerald Auger, Ph.D.)
lnkd.in/eK6uti-W
Mastering the Art of the Interview (TEDX Talks / Ashley Rizzotto, M.Ed.)
lnkd.in/ecMGM5Tn

Tell Me About Yourself - A Good Answer To This Question
lnkd.in/eES-wF7Q

How to Ace a Job Interview: 10 Crucial Tips
lnkd.in/e29vxaH9
Read 6 tweets
Lohitaksh Nandan Profile picture
Dec 5, 2022
Amazing FREE Cyber Security Courses

Help you get started or get better at things like Cloud ☁️

β€” Cyber Foundations β€”
ISC(2) Certified in Cyber - lnkd.in/e6jB_6af
Cyber Security - lnkd.in/eueCSF6A

#cybersecurity #infosec #hacking
Cisco Cyber Induction - lnkd.in/e8C3jacc
Cisco Cyber Essentials - lnkd.in/eTQNsbyF
Fortinet NSE - lnkd.in/es3c_Q6E

β€” Hacking β€”
PortSwigger Web Hacking - lnkd.in/eEa-fNfu
CodeRed Hacking Essentials - lnkd.in/eJbyZp_9
#RedTeaming - lnkd.in/et_T2DEa

β€” Vulnerability Management β€”
#Qualys - lnkd.in/eDWu2zyT

β€” SOC β€”
#Splunk - lnkd.in/et5bkjeY

β€” Engineering β€”
Secure Software Development - lnkd.in/ebGpA4wG
Maryland Software Security - lnkd.in/e3z4zFmJ
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(