Open in app

Sign in

Write

Sign in

Home

Following

Library

Stories

Stats

Member-only story

Top 25 CSRF Bug Bounty Reports

Cristian Cornea
5 min readJan 8, 2021

--

(Source: Unsplash)

In this article, we will discuss CSRF vulnerability, how to find one and present 25 disclosed reports based on this issue.

What is CSRF?

Cross-Site Request Forgery or CSRF is a web-based vulnerability through which an attacker targets the client-side into executing or performing unwanted actions while they are authenticated. This issue must be combinated with a social engineering technique in order to accomplish its exploitation goals. The impact can vary from low severity to a complete application compromise, depending on the components and endpoints affected of CSRF.

Types of Cross-Site Request Forgery

Let’s take a look over three common types of CSRF:

  • URL-based CSRF: It can be easily exploited, because the attacker needs only to craft a specific URL, and waits for the victim to click it. This affects only requests that accept GET HTTP Method.

For example, let’s suppose we have an administrator portal located at the following URL:

https://corneacristian.medium.com/admin.php

This portal can be accessed only with a password, which can be generated by a system administrator already authenticated into the administration portal, by accessing the following link:

https://corneacristian.medium.com/admin.php?action=reset_admin_pass&email_to=admin@medium.com

It will send the new password to the email parsed into the “email_to” URL parameter value. We already know that this is vulnerable to CSRF, so we can craft the below link, send it to the system administrator (through a LinkedIn message for example), wait for her/him to click it, and we will get the new password to our email (attacker@medium.com), resulting in a full admin panel compromise.

https://corneacristian.medium.com/admin.php?action=reset_admin_pass&email_to=attacker@medium.com
  • Form-based CSRF: For this type of CSRF, we must struggle a little more, because the goal is to force the end user to submit data through a malicious form. It can be used against requests that accept POST HTTP Method.

For example, let’s say that web developers fixed the issue described above (URL-based CSRF)…

--

--

Cristian Cornea
Cristian Cornea

Written by Cristian Cornea

3.1K Followers
0 Following

🥷🏻Zerotak - Cyber Security & Pentesting 🧑‍🎓CSTCE - Cyber Security Training Centre of Excellence 🦉SectionX.io - Threat Intel🧛🏼BSides Transylvania

Responses (1)

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech