Bypassing CSRF token validation | Web Security Academy (2024)

Table of Contents
What is a CSRF token? Common flaws in CSRF token validation Validation of CSRF token depends on request method Validation of CSRF token depends on token being present CSRF token is not tied to the user session CSRF token is tied to a non-session cookie CSRF token is simply duplicated in a cookie Register for free to track your learning progress

In this section, we'll explain what CSRF tokens are, how they protect against CSRF attacks, and how you can potentially bypass these defenses.

What is a CSRF token?

A CSRF token is a unique, secret, and unpredictable value that is generated by the server-side application and shared with the client. When issuing a request to perform a sensitive action, such as submitting a form, the client must include the correct CSRF token. Otherwise, the server will refuse to perform the requested action.

A common way to share CSRF tokens with the client is to include them as a hidden parameter in an HTML form, for example:

<form name="change-email-form" action="/my-account/change-email" method="POST"> <label>Email</label> <input required type="email" name="email" value="example@normal-website.com"> <input required type="hidden" name="csrf" value="50FaWgdOhi9M9wyna8taR1k3ODOR8d6u"> <button class='button' type='submit'> Update email </button></form>

Submitting this form results in the following request:

POST /my-account/change-email HTTP/1.1Host: normal-website.comContent-Length: 70Content-Type: application/x-www-form-urlencodedcsrf=50FaWgdOhi9M9wyna8taR1k3ODOR8d6u&email=example@normal-website.com

When implemented correctly, CSRF tokens help protect against CSRF attacks by making it difficult for an attacker to construct a valid request on behalf of the victim. As the attacker has no way of predicting the correct value for the CSRF token, they won't be able to include it in the malicious request.

Note

CSRF tokens don't have to be sent as hidden parameters in a POST request. Some applications place CSRF tokens in HTTP headers, for example. The way in which tokens are transmitted has a significant impact on the security of a mechanism as a whole. For more information, see How to prevent CSRF vulnerabilities.

Common flaws in CSRF token validation

CSRF vulnerabilities typically arise due to flawed validation of CSRF tokens. In this section, we'll cover some of the most common issues that enable attackers to bypass these defenses.

Validation of CSRF token depends on request method

Some applications correctly validate the token when the request uses the POST method but skip the validation when the GET method is used.

In this situation, the attacker can switch to the GET method to bypass the validation and deliver a CSRF attack:

GET /email/change?email=pwned@evil-user.net HTTP/1.1Host: vulnerable-website.comCookie: session=2yQIDcpia41WrATfjPqvm9tOkDvkMvLm

Validation of CSRF token depends on token being present

Some applications correctly validate the token when it is present but skip the validation if the token is omitted.

In this situation, the attacker can remove the entire parameter containing the token (not just its value) to bypass the validation and deliver a CSRF attack:

POST /email/change HTTP/1.1Host: vulnerable-website.comContent-Type: application/x-www-form-urlencodedContent-Length: 25Cookie: session=2yQIDcpia41WrATfjPqvm9tOkDvkMvLmemail=pwned@evil-user.net

LAB

PRACTITIONER CSRF where token validation depends on token being present

CSRF token is not tied to the user session

Some applications do not validate that the token belongs to the same session as the user who is making the request. Instead, the application maintains a global pool of tokens that it has issued and accepts any token that appears in this pool.

In this situation, the attacker can log in to the application using their own account, obtain a valid token, and then feed that token to the victim user in their CSRF attack.

LAB

See Also
Enhancing Web Security: A Deep Dive into Cookies and Tokens for Authentication

PRACTITIONER CSRF where token is not tied to user session

CSRF token is tied to a non-session cookie

In a variation on the preceding vulnerability, some applications do tie the CSRF token to a cookie, but not to the same cookie that is used to track sessions. This can easily occur when an application employs two different frameworks, one for session handling and one for CSRF protection, which are not integrated together:

POST /email/change HTTP/1.1Host: vulnerable-website.comContent-Type: application/x-www-form-urlencodedContent-Length: 68Cookie: session=pSJYSScWKpmC60LpFOAHKixuFuM4uXWF; csrfKey=rZHCnSzEp8dbI6atzagGoSYyqJqTz5dvcsrf=RhV7yQDO0xcq9gLEah2WVbmuFqyOq7tY&email=wiener@normal-user.com

This situation is harder to exploit but is still vulnerable. If the website contains any behavior that allows an attacker to set a cookie in a victim's browser, then an attack is possible. The attacker can log in to the application using their own account, obtain a valid token and associated cookie, leverage the cookie-setting behavior to place their cookie into the victim's browser, and feed their token to the victim in their CSRF attack.

LAB

PRACTITIONER CSRF where token is tied to non-session cookie

Note

The cookie-setting behavior does not even need to exist within the same web application as the CSRF vulnerability. Any other application within the same overall DNS domain can potentially be leveraged to set cookies in the application that is being targeted, if the cookie that is controlled has suitable scope. For example, a cookie-setting function on staging.demo.normal-website.com could be leveraged to place a cookie that is submitted to secure.normal-website.com.

CSRF token is simply duplicated in a cookie

In a further variation on the preceding vulnerability, some applications do not maintain any server-side record of tokens that have been issued, but instead duplicate each token within a cookie and a request parameter. When the subsequent request is validated, the application simply verifies that the token submitted in the request parameter matches the value submitted in the cookie. This is sometimes called the "double submit" defense against CSRF, and is advocated because it is simple to implement and avoids the need for any server-side state:

POST /email/change HTTP/1.1Host: vulnerable-website.comContent-Type: application/x-www-form-urlencodedContent-Length: 68Cookie: session=1DQGdzYbOJQzLP7460tfyiv3do7MjyPw; csrf=R8ov2YBfTYmzFyjit8o2hKBuoIjXXVpacsrf=R8ov2YBfTYmzFyjit8o2hKBuoIjXXVpa&email=wiener@normal-user.com

In this situation, the attacker can again perform a CSRF attack if the website contains any cookie setting functionality. Here, the attacker doesn't need to obtain a valid token of their own. They simply invent a token (perhaps in the required format, if that is being checked), leverage the cookie-setting behavior to place their cookie into the victim's browser, and feed their token to the victim in their CSRF attack.

LAB

PRACTITIONER CSRF where token is duplicated in cookie

Register for free to track your learning progress

Bypassing CSRF token validation | Web Security Academy (1)

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Bypassing CSRF token validation | Web Security Academy (2024)
Top Articles
University level qualifications explained - Activate Learning
Ope Ope no Mi (Alphadhbeta)
Craigslist Warren Michigan Free Stuff
Coffman Memorial Union | U of M Bookstores
<i>1883</i>'s Isabel May Opens Up About the <i>Yellowstone</i> Prequel
Richard Sambade Obituary
P2P4U Net Soccer
Hardly Antonyms
Sams Gas Price Fairview Heights Il
The Connecticut Daily Lottery Hub
iOS 18 Hadir, Tapi Mana Fitur AI Apple?
Dr Adj Redist Cadv Prin Amex Charge
Canvas Nthurston
Obsidian Guard's Cutlass
How pharmacies can help
Zalog Forum
Why Should We Hire You? - Professional Answers for 2024
Hyvee Workday
Masterkyngmash
Dragger Games For The Brain
2013 Ford Fusion Serpentine Belt Diagram
Jc Green Obits
Talkstreamlive
Thick Ebony Trans
25 Best Things to Do in Palermo, Sicily (Italy)
Acurafinancialservices Com Home Page
Ticket To Paradise Showtimes Near Cinemark Mall Del Norte
Pronóstico del tiempo de 10 días para San Josecito, Provincia de San José, Costa Rica - The Weather Channel | weather.com
031515 828
Rogold Extension
Devargasfuneral
Homewatch Caregivers Salary
Ucm Black Board
Siskiyou Co Craigslist
Housing Assistance Rental Assistance Program RAP
Everstart Jump Starter Manual Pdf
JD Power's top airlines in 2024, ranked - The Points Guy
Skip The Games Ventura
Zero Sievert Coop
The Complete Guide To The Infamous "imskirby Incident"
Emerge Ortho Kronos
Craigslist Florida Trucks
Riverton Wyoming Craigslist
Mychart University Of Iowa Hospital
Portal Pacjenta LUX MED
Smoke From Street Outlaws Net Worth
Peugeot-dealer Hedin Automotive: alles onder één dak | Hedin
Turning Obsidian into My Perfect Writing App – The Sweet Setup
Koniec veľkorysých plánov. Prestížna LEAF Academy mení adresu, masívny kampus nepostaví
Cheryl Mchenry Retirement
The Ultimate Guide To 5 Movierulz. Com: Exploring The World Of Online Movies
Latest Posts
TikTok Money Calculator: Free And Easy to Use
How to buy Bitcoin Cash : Step-by-step guide for buying Bitcoin Cash | Ledger
Article information

Author: Nathanial Hackett

Last Updated:

Views: 6417

Rating: 4.1 / 5 (72 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Nathanial Hackett

Birthday: 1997-10-09

Address: Apt. 935 264 Abshire Canyon, South Nerissachester, NM 01800

Phone: +9752624861224

Job: Forward Technology Assistant

Hobby: Listening to music, Shopping, Vacation, Baton twirling, Flower arranging, Blacksmithing, Do it yourself

Introduction: My name is Nathanial Hackett, I am a lovely, curious, smiling, lively, thoughtful, courageous, lively person who loves writing and wants to share my knowledge and understanding with you.