In what ways site administrators can detect incoming CSRF attacks? Is it possible or not?
My system composes of NuxtJs and AdonisJs application. Adonis handles csrf tokens for us by sending:
set-cookie: adonis-session=XXX; Path=/; HttpOnly set-cookie: XSRF-TOKEN=XXX; Max-Age=7200; Path=/; SameSite=Strict set-cookie: adonis-session-values=XXX; Path=/; HttpOnly
Now from what I can see, it will set a cookie that can be sent only by a browser. And only if the host is the same. From my understanding, from that point on, browser is the one who will auto attach cookies like that to each request. The problem is, when Nuxt application is making an API request to the back-end I do not see any csrf token being sent when looking at the traffic trough BurpSuite.
And naturally adonis will reply with "Invalid CSRF Token", and respond with status code 500.
I’m not sure what am I missing, I fail to understand why browser is not sending that cookie. And just as the extra information I’ve failed to find it trough browser’s inspector window (Storage tab). Is it possible that the cookie is not set or?
I’ve seen other posts regarding this issue, but they where not helpful because the solution was composed of reading a cookie and manually sending it as the header. Which I do not advise, and is not the model I’m going to implement. I would rather leave it to the back-end framework and browser to do the job for me, because as we all know, there would be less room for me to make a mistake.
Thank you for reading this.
I am currently doing bug bounty on a company which uses GRAPHQL for their query language and would like to check if CSRF is possible. After playing around with burpsuite I have conclude the following;
- Company doesn’t use csrf token when fetching data
- Origin and Referer can be erased and request will still work
If the company is using JSON, I would be able to produce a PoC for CSRF but because they are using GraphQL, I could produce CSRF PoC for the following reason;
Everytime form ‘Content-Type’ is set to ‘text/plain’ and every data has been setup inside of my input form, a ‘=’ is appended at the end of body request, like this:
— Request Body —
[ … ]=
– This equal sign caused the request to fail
IS there anyway I could bypass this? Been looking for a while but got nothing. Thank you in advance!
CORS is a HTTP Suite header that “relax” the SOP. One of the CORS misconfigurations is about to reflect without reg exp the “Origin” client header into “ACAO” response header. If it happens with “ACAC:true” every cross-domain HTTP request is allowed.
It happens because CORS has a misconfiguration and because the vulnerable page doesn’t have a CSRF Token.
Was this Cross-Domain HTTP request essentially a CSRF attack? If yes, it happens because there is a CORS misconfiguration and there isn’t the CSRF Token? What happens if it has a Anti-XSRF Token?
I read that CORS and SOP can’t block a CSRF attack, because the policy prevents only to access to the response on the request, but the HTTP request works anyway.
If CORS and SOP can’t block a CSRF attack, the CSRF attack could work also if the web server target is not vulnerable a CORS misconfiguration?
I have stumbled upon a vulnerability in a web application and was wondering if it was exploitable / worth reporting. The bug is a CSRF which would allow an attacker to send friend requests to himself from other user accounts (in turn letting him view sensitive information about the victim accounts). The request is usually made using a
POST request. Using usual exploitation techniques, I crafted the following webpage.
<html> <head></head> <body> <span>csrf test</span> <form action="http://vulnerable.com/friendRequest.asp" method="POST"> <input type="hidden" name="MessageArea" value="this is a test of csrf"> <input type="hidden" name="FriendName" value="testuser"> </form> <script> document.forms.submit(); </script> </body> </html>
Unfortunately though, the website checks for the
origin header in the request, so this payload doesn’t work. Switching to a
GET request and deleting the
origin header actually sends the request successfully. The request looks like the following.
GET /friendRequest.asp HTTP/1.1 Host: www.vulnerable.com User-Agent: Mozilla/5.0 ... (no origin header) Cookie: secret_cookie MessageArea=this+is+a+test+for+csrf&FriendName=testuser
As you can see this is a
GET request with
POST data sent at the bottom. Unfortunately the request doesn’t go through with the parameters in the URL like in a true
GET request. Is there any way to use an external form (like the one above) to send a malformed
GET request with POST data to achieve this
CSRF? I have looked into
fetch but I’m not sure that they are the right tools for the job.
I am developing an ASP.NET Core web api project whose only client will be a mobile app developed in Xamarin. There will be no web frontend for the application.
Can CSRF attacks be executed if the user can only login and consume the api from the mobile app?
Could you please let me know how can we check the origin header server-wide in IIS to prevent CSRF through the configuration change only without adding a custom HTTP module in IIS?
I know they say CSRF tokens are the most secure way to prevent CSRF attacks but what if someone uses XHR to retrieve the page containing the csrf token along with the form and then use that token for his attacks?
Why they don’t say “Referer” header is the most secure way to prevent CSRF attacks? Afterall nearly 99% of the currently in-use browsers will provide “Referer” header and the attacker cannot change it in anyway. (Yes, he can’t, unless the browser/OS itself is compromised)
Now that I protect my website using “referer” header, do I really need csrf tokens? All my important requests are using POST and not GET method.
How would one go about defending against this sort of attack to best protect a sloppy user? There can be obvious signs of a spoofing attack, such as not using SSL, slightly different domain, etc, but I am assuming Tristed.com (the malicious site) has completely fooled the user. The only mitigation that comes to mind is having automation prevention built in, like Captcha. I don’t know if I am completely missing something here, so apologies in advance. I have abstracted a lot of detail for the sake of keeping the diagram simple.
Based on other questions, it seems protecting GET resources with CSRF tokens is useless. However, that quickly becomes untrue when CORS gets thrown into the mix
I have a server domain
server.com and a UI app at
server.com domain handles user auth and sets a session cookie under the
server.com domain. It also has a rest-like endpoint that serves GET requests at
/user_data and returns sensitive user data to users with a valid session. The 3rd party UI at
client.com needs access to the user_data in an AJAX call, so
CORS is enabled at the
/user_data endpoint for the origin domain
The endpoint in question has no side effects, although it serves sensitive data to a 3rd party. Do I need to implement some CSRF token protection for the endpoint? Could the user_data be read by a compromised
client.com webpage (via persistent XSS)? If so, can I use a query param mechanism of
CSRF token exchange? The way I understand it, it’s the only option, because the
client.com cannot read csrf tokens stored in a
server.com cookies. However OWASP guidelines state that:
Make sure that the token is not leaked in the server logs, or in the URL.
If that’s also a problem, how can I secure my application?