CSRF Testing

Find areas that should have CSRF protection and test if it's actually enforced.

1. Standard CSRF test – remove the token entirely
2. Change method to GET
3. Change CSRF token value to undefined
4. Delete CSRF token value or entire parameter
5. Use same CSRF token across two different accounts
6. Replace CSRF token with same-length random string
7. Change content-type from application/json to text/plain
8. Use a vulnerable subdomain to bypass CSRF token validation

<meta name="referrer" content="no-referrer" />

<iframe src="data:text/html;base64,BASE64_ENCODED_FORM">

If they check that their domain is in the Referer header:

https://yoursite.com/https://theirsite.com/

The parser may match theirsite.com as a substring.

Wrap the sensitive form in an iframe for clickjacking – forces user interaction that carries their session. See Bug Chaining for details.

• Account profile updates (name, email, password)
• Email change – especially if no second confirmation required
• Privilege changes, adding OAuth apps
• Payment actions
• Admin-only actions

• CSRF on email change + no confirmation = account takeover
• CSRF on OAuth app authorization = attacker's app gains access
• Chain CSRF with XSS for stored CSRF that fires for all users

• TBHM CSRF
• XSS Testing
• Bug Chaining
• Methodology Index