Sebastian recently discovered an interesting CSRF bypass and we would like to share this finding with you.
The webapplication used some forms and submitting them resulted in the following POST request:
1 2 3 4 5 6 7 8 9 10
As you can see, there are multiple CSRF protection mechanisms in place:
The obvious thing to do is to remove/neutralize all the mechanisms and resend the request. Unfortunately, the application correctly rejected the request due to invalid CSRF tokens.
So what’s next?
Did you notice that the content that is being changed (
Let’s try to change the request method and remove all the POST-request related stuff:
1 2 3
That’s a simple GET request and guess what? The application did not reject the request. We successfully bypassed the CSRF protection.
What did we learn?
- Changing the request methods can lead to interesting behaviour/ bypasses.
- Never trust user-supplied data ;)
the team of internetwache.org