---
name: csrf-testing
description: Cross-site request forgery testing for state-changing operations
origin: RedteamOpencode
---

# CSRF Testing (Cross-Site Request Forgery)

## When to Activate

- State-changing operations (POST, PUT, DELETE, PATCH)
- Cookie-based authentication
- Forms or API calls that modify user data, settings, or permissions

## Tools

- `run_tool curl` (manual request replay)
- Burp Suite (generate CSRF PoC)
- Browser DevTools (inspect cookies, headers)
- Custom HTML PoC pages

## Methodology

### 1. Identify CSRF Protections

- [ ] Check for CSRF token in forms (hidden field `csrf_token`, `_token`, `authenticity_token`)
- [ ] Check for CSRF token in headers (`X-CSRF-Token`, `X-XSRF-Token`)
- [ ] Check `SameSite` attribute on session cookies
- [ ] Check `Referer` / `Origin` header validation
- [ ] Check custom headers requirement (e.g., `X-Requested-With`)
- [ ] Check `Content-Type` enforcement (JSON only = partial protection)

### 2. Test Token Validation

- [ ] Remove CSRF token entirely — does request succeed?
- [ ] Submit empty token value
- [ ] Use token from another session / different user
- [ ] Reuse old/expired token
- [ ] Change token to arbitrary value
- [ ] Check if token is tied to session or independent
- [ ] Swap HTTP method: POST → GET (may skip token check)

### 3. Test SameSite Cookie Bypass

- [ ] `SameSite=None` — no protection, full CSRF possible
- [ ] `SameSite=Lax` — test top-level GET navigation (form method=GET)
- [ ] `SameSite=Lax` — 2-minute window after cookie set (Chrome)
- [ ] No SameSite set — defaults vary by browser (Lax in Chrome)
- [ ] Check if API uses cookies at all (vs Bearer tokens)

### 4. Test Referer/Origin Validation

- [ ] Remove `Referer` header entirely (use `<meta name="referrer" content="no-referrer">`)
- [ ] Set Origin to `null` (sandboxed iframe, data: URI)
- [ ] Subdomain spoofing: `https://target.com.attacker.com`
- [ ] Prefix bypass: `https://attacker.com/target.com`
- [ ] Check regex flaws in validation

### 5. Build CSRF PoC

- [ ] Auto-submit form:
      ```html
      <form action="https://target/change-email" method="POST">
        <input name="email" value="attacker@evil.com">
      </form>
      <script>document.forms[0].submit()</script>
      ```
- [ ] Image tag for GET: `<img src="https://target/delete?id=1">`
- [ ] XHR/fetch for JSON APIs (if CORS allows)
- [ ] Multipart form for file upload CSRF

### 6. High-Value Targets

- [ ] Password change (without current password)
- [ ] Email change
- [ ] Account settings modification
- [ ] Admin actions (create user, change roles)
- [ ] Financial transactions
- [ ] API key generation / rotation

### 7. Chained Attacks

- [ ] CSRF + Self-XSS = stored XSS via CSRF
- [ ] CSRF + login = login CSRF (force victim into attacker's account)
- [ ] CSRF + CORS misconfiguration

## What to Record

- Endpoint and action vulnerable to CSRF
- Missing or bypassable protection mechanism
- Working PoC HTML
- Business impact of the forged action
- Severity: Medium (settings change) to High (account takeover, financial)
- Remediation: synchronizer token pattern, SameSite=Strict, Origin validation