CSRF token not sent when calling the back-end?

My system composes of NuxtJs and AdonisJs application. Adonis handles csrf tokens for us by sending:

set-cookie: adonis-session=XXX; Path=/; HttpOnly set-cookie: XSRF-TOKEN=XXX; Max-Age=7200; Path=/; SameSite=Strict set-cookie: adonis-session-values=XXX; Path=/; HttpOnly 

Now from what I can see, it will set a cookie that can be sent only by a browser. And only if the host is the same. From my understanding, from that point on, browser is the one who will auto attach cookies like that to each request. The problem is, when Nuxt application is making an API request to the back-end I do not see any csrf token being sent when looking at the traffic trough BurpSuite.

And naturally adonis will reply with "Invalid CSRF Token", and respond with status code 500.

I’m not sure what am I missing, I fail to understand why browser is not sending that cookie. And just as the extra information I’ve failed to find it trough browser’s inspector window (Storage tab). Is it possible that the cookie is not set or?

I’ve seen other posts regarding this issue, but they where not helpful because the solution was composed of reading a cookie and manually sending it as the header. Which I do not advise, and is not the model I’m going to implement. I would rather leave it to the back-end framework and browser to do the job for me, because as we all know, there would be less room for me to make a mistake.

Thank you for reading this.

CSRF on GraphQL endpoint

I am currently doing bug bounty on a company which uses GRAPHQL for their query language and would like to check if CSRF is possible. After playing around with burpsuite I have conclude the following;

  • Company doesn’t use csrf token when fetching data
  • Origin and Referer can be erased and request will still work

If the company is using JSON, I would be able to produce a PoC for CSRF but because they are using GraphQL, I could produce CSRF PoC for the following reason;

  • Everytime form ‘Content-Type’ is set to ‘text/plain’ and every data has been setup inside of my input form, a ‘=’ is appended at the end of body request, like this:

    POST /HTTPT/1.1

    — Request Body —

    [ … ]=

– This equal sign caused the request to fail

IS there anyway I could bypass this? Been looking for a while but got nothing. Thank you in advance!

Cross-Domain Request is a CSRF Attack? (CORS)

CORS is a HTTP Suite header that “relax” the SOP. One of the CORS misconfigurations is about to reflect without reg exp the “Origin” client header into “ACAO” response header. If it happens with “ACAC:true” every cross-domain HTTP request is allowed.

If an attacker induces a victim to visit with another tab of the browser, a malicious web server with a Javascript CORS exploit; the browser triggered by exploit does a HTTP request to a vulnerable webpage and sends the output to a web server controlled by the attacker.

It happens because CORS has a misconfiguration and because the vulnerable page doesn’t have a CSRF Token.

Was this Cross-Domain HTTP request essentially a CSRF attack? If yes, it happens because there is a CORS misconfiguration and there isn’t the CSRF Token? What happens if it has a Anti-XSRF Token?

I read that CORS and SOP can’t block a CSRF attack, because the policy prevents only to access to the response on the request, but the HTTP request works anyway.

If CORS and SOP can’t block a CSRF attack, the CSRF attack could work also if the web server target is not vulnerable a CORS misconfiguration?

CSRF: GET request with POST data?

I have stumbled upon a vulnerability in a web application and was wondering if it was exploitable / worth reporting. The bug is a CSRF which would allow an attacker to send friend requests to himself from other user accounts (in turn letting him view sensitive information about the victim accounts). The request is usually made using a POST request. Using usual exploitation techniques, I crafted the following webpage.

<html>     <head></head>     <body>         <span>csrf test</span>          <form action="http://vulnerable.com/friendRequest.asp" method="POST">             <input type="hidden" name="MessageArea" value="this is a test of csrf">             <input type="hidden" name="FriendName" value="testuser">         </form>          <script>             document.forms[0].submit();         </script>      </body> </html> 

Unfortunately though, the website checks for the origin header in the request, so this payload doesn’t work. Switching to a GET request and deleting the origin header actually sends the request successfully. The request looks like the following.

GET /friendRequest.asp HTTP/1.1 Host: www.vulnerable.com User-Agent: Mozilla/5.0 ... (no origin header) Cookie: secret_cookie  MessageArea=this+is+a+test+for+csrf&FriendName=testuser 

As you can see this is a GET request with POST data sent at the bottom. Unfortunately the request doesn’t go through with the parameters in the URL like in a true GET request. Is there any way to use an external form (like the one above) to send a malformed GET request with POST data to achieve this CSRF? I have looked into XMLHttpRequest and fetch but I’m not sure that they are the right tools for the job.

Retrieving CSRF token from third party website form using XHR (JavaScript)

I know they say CSRF tokens are the most secure way to prevent CSRF attacks but what if someone uses XHR to retrieve the page containing the csrf token along with the form and then use that token for his attacks?

Why they don’t say “Referer” header is the most secure way to prevent CSRF attacks? Afterall nearly 99% of the currently in-use browsers will provide “Referer” header and the attacker cannot change it in anyway. (Yes, he can’t, unless the browser/OS itself is compromised)

Now that I protect my website using “referer” header, do I really need csrf tokens? All my important requests are using POST and not GET method.

Is CSRF protection required for sensitive GET requests with CORS enabled?

Based on other questions, it seems protecting GET resources with CSRF tokens is useless. However, that quickly becomes untrue when CORS gets thrown into the mix

I have a server domain server.com and a UI app at client.com. The server.com domain handles user auth and sets a session cookie under the server.com domain. It also has a rest-like endpoint that serves GET requests at /user_data and returns sensitive user data to users with a valid session. The 3rd party UI at client.com needs access to the user_data in an AJAX call, so CORS is enabled at the /user_data endpoint for the origin domain client.com via Access-Control-Allow-Origin.

The endpoint in question has no side effects, although it serves sensitive data to a 3rd party. Do I need to implement some CSRF token protection for the endpoint? Could the user_data be read by a compromised client.com webpage (via persistent XSS)? If so, can I use a query param mechanism of CSRF token exchange? The way I understand it, it’s the only option, because the client.com cannot read csrf tokens stored in a server.com cookies. However OWASP guidelines state that:

Make sure that the token is not leaked in the server logs, or in the URL.

If that’s also a problem, how can I secure my application?