Cross Site Request Forgery (CSRF)

Blog / Articles:

• http://blog.opensecurityresearch.com/2012/02/json-csrf-with-parameter-padding.html

• https://labs.detectify.com/2017/03/15/loginlogout-csrf-time-to-reconsider/

• https://medium.com/@secureITmania/how-i-exploit-the-json-csrf-with-method-override-technique-71c0a9a7f3b0

• https://labs.detectify.com/2017/03/15/loginlogout-csrf-time-to-reconsider/

• https://medium.com/@zseano/site-wide-csrf-issue-chained-with-clickjacking-multiple-sites-vulnerable-6201abab0d3e

• https://blog.securityinnovation.com/seven-sins-of-anti-csrf-tokens?utm_campaign=Blog%20Posts&utm_content=135806080&utm_medium=social&utm_source=twitter&hss_channel=tw-213735745

• https://medium.com/bugbountywriteup/lets-bypass-csrf-protection-password-confirmation-to-takeover-victim-accounts-d-4a21297847ff

Bypasses / Cheatsheets:

https://twitter.com/hackerscrolls/status/1265217322308046849

1MB

screencapture-web-archive-org-web-20170330124956-http-zseano-com-tut-5-html-2020-09-30-00_04_31.pdf

pdf

• https://trustfoundry.net/cross-site-request-forgery-cheat-sheet/

CSRF MindMap:

Videos:

• https://www.youtube.com/watch?v=eWEgUcHPle0

• https://www.youtube.com/watch?v=ULvf6N8AL2A&feature=youtu.be

ATO using CSRF -Account setting-password change option -We need current password to change new password -capture the request,remove current password and CSRF-Token paramater -Generate CSRF poc -Send it to victim and victim password go changed #bugbountytips #BugBounty