====== CSRF Testing ======

Find areas that should have CSRF protection and test if it's actually enforced.

===== 8-Step Test =====

  - Standard CSRF test -- remove the token entirely
  - Change method to GET
  - Change CSRF token value to ''undefined''
  - Delete CSRF token value or entire parameter
  - Use same CSRF token across two different accounts
  - Replace CSRF token with same-length random string
  - Change content-type from ''application/json'' to ''text/plain''
  - Use a vulnerable subdomain to bypass CSRF token validation

===== Bypass Techniques =====

==== Blank Referer ====

<code html>
<meta name="referrer" content="no-referrer" />
</code>

==== iframe data URI ====

<code html>
<iframe src="data:text/html;base64,BASE64_ENCODED_FORM">
</code>

==== Referer Bypass ====

If they check that their domain is in the Referer header:

<code>
https://yoursite.com/https://theirsite.com/
</code>

The parser may match ''theirsite.com'' as a substring.

==== Clickjacking CSRF ====

Wrap the sensitive form in an iframe for clickjacking -- forces user interaction that carries their session. See [[zseano:escalation|Bug Chaining]] for details.

===== Focus Areas =====

  * Account profile updates (name, email, password)
  * Email change -- especially if no second confirmation required
  * Privilege changes, adding OAuth apps
  * Payment actions
  * Admin-only actions

===== Escalation =====

  * CSRF on email change + no confirmation = account takeover
  * CSRF on OAuth app authorization = attacker's app gains access
  * Chain CSRF with [[zseano:xss|XSS]] for stored CSRF that fires for all users

===== See Also =====

  * [[tbhm:08_csrf|TBHM CSRF]]
  * [[zseano:xss|XSS Testing]]
  * [[zseano:escalation|Bug Chaining]]
  * [[zseano:start|Methodology Index]]