In this write up I want to share a very simple kind of CSRF bug that I found in a bug bounty program that didn’t require me to use Burpsuite or any other proxy tools to discover.
If you’re not familiar with the CSRF vulnerability I suggest you read this article before continuing https://owasp.org/www-community/attacks/csrf.
Usually CSRFs are found either in forms on websites or through URLs that initiate some action. In this case I found a CSRF through a URL that initiated one of the main functionalities of a website. This URL I found it by simply clicking through the website and looking at the different URLs that populated in the browser as I was clicking. I can’t reveal the company so for the rest of this write up let’s call the website redacted.com.
The vulnerable URL looked something like https://redacted.com/projects/#createproject/sampleproject/webproject.com. By clicking this link the user would create a project under redacted.com/projects with the name of the project and a link for the project. What would happen is that the #createproject fragment would call a function on the website that would then pass the values after the / to create the project. This process didn’t have any CSRF protection. This # tag parameter is called a URI fragment, for more information on this read https://en.wikipedia.org/wiki/URI_fragment.
Because this process was initiated by a URI fragment there is no way this could have been found listed on a proxy tool such as Burpsuite as this URL would not have been crawled. For reporting this I was paid $100.
This is the POC code that I used when reporting:
<title>CSRF PoC — Generated By AppSec Labs csrf-generator</title>
<input type=’submit’ value=’Go!’ />