# Cross-Site Request Forgery (CSRF) Testing
---
name: Cross-Site Request Forgery (CSRF) Testing
description: This skill should be used when the user asks to "test for CSRF vulnerabilities," "create CSRF proof of concept exploits," "bypass anti-CSRF token protections," "validate CSRF mitigation controls," or "exploit cross-site request forgery in web applications." It provides comprehensive guidance for detecting, exploiting, and remediating CSRF vulnerabilities.
version: 1.0.0
tags: [csrf, web-security, penetration-testing, session-security, access-control]
---
## Purpose
Provide systematic methodologies for identifying and exploiting Cross-Site Request Forgery (CSRF) vulnerabilities in web applications. This skill covers CSRF attack mechanics, proof-of-concept creation, token bypass techniques, testing methodologies, and mitigation strategies for preventing unauthorized state-changing actions on behalf of authenticated users.
## Inputs / Prerequisites
- **Target Web Application**: URL of application with state-changing functionality
- **Authenticated User Session**: Valid login credentials for testing
- **Proxy Tool**: Burp Suite or similar for request interception and modification
- **HTML/JavaScript Knowledge**: Ability to craft malicious payloads
- **Authorization**: Written permission for security testing activities
## Outputs / Deliverables
- **CSRF Vulnerability Report**: Documentation of exploitable endpoints
- **Proof of Concept HTML**: Working exploit demonstrating vulnerability
- **Token Analysis**: Assessment of anti-CSRF token implementation
- **Impact Assessment**: Business impact of identified vulnerabilities
- **Remediation Recommendations**: Specific fixes for discovered issues
## Core Workflow
### 1. Understand CSRF Attack Mechanics
#### Attack Flow
```
1. User authenticates to target website (bank.com)
2. Browser stores session cookie: sessionid=abcd1234
3. Attacker crafts malicious request targeting sensitive action
4. User visits attacker-controlled page while still authenticated
5. Malicious page triggers request to target site
6. Browser automatically includes session cookie
7. Server processes request as legitimate user action
```
#### Why CSRF Works
- Browsers automatically attach cookies to same-origin requests
- Server trusts requests containing valid session cookies
- No mechanism verifies user intent for each action
- Cross-origin requests can trigger state changes
### 2. Identify Vulnerable Endpoints
#### Review Application Behavior
```
Target endpoints that perform state-changing actions:
- Password/email changes: POST /account/update
- Money transfers: POST /transfer
- Settings modifications: POST /settings/save
- Administrative actions: POST /admin/delete-user
- Shopping cart operations: POST /cart/add
- Profile updates: POST /profile/edit
```
#### Capture and Analyze Requests
```http
# Intercept state-changing request with Burp Suite
POST /account/change-email HTTP/1.1
Host: target.com
Cookie: sessionid=abcd1234
Content-Type: application/x-www-form-urlencoded
email=newuser@email.com
```
### 3. Test for CSRF Protections
#### Check for Anti-CSRF Tokens
```http
# Look for token in form or headers
POST /transfer HTTP/1.1
Host: bank.com
Cookie: sessionid=abcd1234
amount=1000&account=12345&csrf_token=xyz789
```
**Testing Token Validation:**
```
1. Remove token entirely → Does request succeed?
2. Use empty token value → Does request succeed?
3. Use token from different session → Does request succeed?
4. Modify token characters → Does request succeed?
5. Reuse old token → Does request succeed?
```
#### Check Referer/Origin Header Validation
```http
# Remove Referer header
POST /transfer HTTP/1.1
Host: bank.com
# Referer: (removed)
# Modify Referer header
POST /transfer HTTP/1.1
Host: bank.com
Referer: https://attacker.com/csrf.html
```
#### Check HTTP Method Handling
```
# If POST is protected, try GET
Original: POST /transfer?amount=1000
Attempt: GET /transfer?amount=1000
# Some applications accept both methods
```
### 4. Create CSRF Proof of Concept
#### Hidden Form Auto-Submit
```html
Win a Prize!
Click here to claim your prize!
```
#### Image Tag GET Request
```html
```
#### XHR-Based CSRF (for CORS Misconfiguration)
```html
```
#### iFrame-Based CSRF
```html
```
### 5. Token Bypass Techniques
#### Token in Cookie (Double Submit Bypass)
```html
```
#### Token Tied to Non-Session Cookie
```
# If CSRF token cookie is separate from session
1. Obtain valid CSRF token from any session
2. Use this token across different user sessions
3. Token may be valid for all users
```
#### Token Validation Based on Request Method
```html
```
## Quick Reference
### CSRF Testing Checklist
| Test | Method | Vulnerability Indicator |
|------|--------|------------------------|
| Remove CSRF token | Delete token parameter | Request succeeds |
| Empty token value | Set token="" | Request succeeds |
| Different session token | Use another user's token | Request succeeds |
| Predictable token | Analyze token entropy | Low randomness |
| Token in URL | Check token exposure | Token in GET parameters |
| Static token | Same token across sessions | Token never changes |
| Remove Referer | Delete header | Request succeeds |
| Spoof Referer | Change to attacker.com | Request succeeds |
| Method override | POST → GET | Action executes |
### Common CSRF Payload Templates
| Scenario | Template |
|----------|----------|
| POST form | `` |
| GET image | `
` |
| Auto-submit | `` |
| JSON body | XHR with `Content-Type: text/plain` (bypass preflight) |
| Delayed submit | `setTimeout(function(){form.submit()}, 2000)` |
### Anti-CSRF Token Validation Tests
| Test Case | Expected Secure Behavior |
|-----------|-------------------------|
| Token missing | Request rejected (400/403) |
| Token empty | Request rejected |
| Token from other session | Request rejected |
| Token modified | Request rejected |
| Expired token | Request rejected |
| Reused token (one-time use) | Request rejected |
## Constraints and Limitations
### Operational Boundaries
- Modern browsers implement SameSite cookie defaults (Lax)
- CORS policies may block cross-origin requests
- Content-Type restrictions limit some attack vectors
- Framework-level protections increasingly common
- Token-based APIs may not be vulnerable
### Attack Limitations
- Requires victim to be authenticated
- Victim must visit attacker-controlled page
- Cannot read response (blind attack)
- Complex multi-step actions harder to exploit
- CAPTCHA/re-authentication blocks exploitation
### Legal Requirements
- Only test applications with written authorization
- Document all testing activities and findings
- Do not exploit real user sessions
- Report findings through proper channels
## Examples
### Example 1: Basic Email Change CSRF
```html
```
### Example 2: Money Transfer CSRF
```html
Congratulations!
You've won $1,000,000!
Please wait while we process your prize...
```
### Example 3: GET-Based CSRF via Image
```html
Check out this funny image!
```
### Example 4: Token Bypass - Empty Value
```html
```
### Example 5: JSON Body CSRF
```html
```
### Example 6: Real-World Gmail CSRF (Historical)
```html
```
## Troubleshooting
### Issue: CSRF Attack Blocked by SameSite Cookie
**Cause**: Modern browsers default to SameSite=Lax
**Solution**:
```
# SameSite=Lax allows GET requests from cross-origin navigation
1. Convert POST to GET if application accepts it
2. Use top-level navigation:
# SameSite=None required for cross-origin POSTs
# If cookie has SameSite=Strict, CSRF is largely mitigated
```
### Issue: CORS Blocking XHR Requests
**Cause**: Browser enforces same-origin policy
**Solution**:
```html
```
### Configure SameSite Cookie Attribute
```http
# Strict: Never send cookie cross-origin
Set-Cookie: sessionid=abc123; SameSite=Strict; Secure; HttpOnly
# Lax: Send only with top-level GET navigations
Set-Cookie: sessionid=abc123; SameSite=Lax; Secure; HttpOnly
```
### Validate Referer/Origin Headers
```python
# Server-side validation example
def validate_origin(request):
origin = request.headers.get('Origin')
referer = request.headers.get('Referer')
allowed_origins = ['https://trusted-site.com']
if origin and origin not in allowed_origins:
return False
if referer and not referer.startswith('https://trusted-site.com'):
return False
return True
```
### Require Re-Authentication for Sensitive Actions
```
# For critical operations:
1. Password changes → Require current password
2. Fund transfers → Require 2FA confirmation
3. Account deletion → Email/SMS verification
4. Admin actions → Session timeout + re-auth
```
### Use Framework Security Features
```python
# Django CSRF middleware (enabled by default)
MIDDLEWARE = [
'django.middleware.csrf.CsrfViewMiddleware',
]
# Template usage
```