Try sending a modified request with your valid CSRF token against another user.Here, the issue lies with the token’s expiry time. Logout from application & re-login (make sure to remove locally cached data & cookie values from the browser) and replace the CSRF token with the previous token value. Log in the application, capture the CSRF token. Check if the application accepts a CSRF token from an expired user session.If succeeded, the application improperly verifies the value of the token against a valid token. Try sending a request with a random CSRF token, follow the pattern implemented by the application to issue a token.If succeeded, again application fails to verify the value of the token. Try sending a request with a blank CSRF token.If the request is accepted, the application no doubt issues a token but it does not validate it. Try sending a request without a CSRF token at all. Intercept the request via proxy and modify it.Check if proper measures are set to verify the tokens & accordingly look for the responses.If not, the application is definitely vulnerable to CSRF. Check if there is any CSRF token issued at all.You can check for the validity of the issued tokens and use stated ways to bypass the validations and measures as: Issuing a CSRF token does not mean the application is secure from CSRF. To prevent the application from being redirected to a random URL, applications implement CSRF Tokens. >document.location >document.URL >document.open() >window.navigate() >window.open() Look for below JavaScript APIs that may be performing redirects: In cases, where the redirection is performed via a client-side JavaScript that requests data from a DOM, the code for redirection is typically visible on the client end. Moreover, an application might be performing checks or blacklisting of a certain pattern, by blocking the absolute URLs. The application could be implementing a redirection to an absolute or relative URL, try replacing - an absolute URL with an external domain to check if it redirects or a relative URL with an absolute URL of an external domain to test if it redirects. If the application is redirected to a modified destination, it is definitely vulnerable. In the above scenarios replace the safe redirection URLs with your URL, and modify the request accordingly. HTTP/1.1 200 OK Content-Length: 123 document.location=” " Check APIs within JavaScript for redirecting the browser to an arbitrary URL.Check HTML tags, to replicate the behavior of any HTTP header, for redirection.Use the refresh header, to reload the page with an arbitrary URL after a fixed interval, you can set the interval as 0, to trigger an immediate redirection.Look for 3xx status code and a Location header HTTP/1.1 302 Object moved Location:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |