CSRF through URL with # tag parameter

In this write up I want to share a very simple kind of CSRF bug that I found in a bug bounty program that didn’t require me to use Burpsuite or any other proxy tools to discover.

If you’re not familiar with the CSRF vulnerability I suggest you read this article before continuing https://owasp.org/www-community/attacks/csrf.

Usually CSRFs are found either in forms on websites or through URLs that initiate some action. In this case I found a CSRF through a URL that initiated one of the main functionalities of a website. This URL I found it by simply clicking through the website and looking at the different URLs that populated in the browser as I was clicking. I can’t reveal the company so for the rest of this write up let’s call the website redacted.com.

The vulnerable URL looked something like https://redacted.com/projects/#createproject/sampleproject/webproject.com. By clicking this link the user would create a project under redacted.com/projects with the name of the project and a link for the project. What would happen is that the #createproject fragment would call a function on the website that would then pass the values after the / to create the project. This process didn’t have any CSRF protection. This # tag parameter is called a URI fragment, for more information on this read https://en.wikipedia.org/wiki/URI_fragment.

Because this process was initiated by a URI fragment there is no way this could have been found listed on a proxy tool such as Burpsuite as this URL would not have been crawled. For reporting this I was paid $100.

This is the POC code that I used when reporting:

<html><head>
<title>CSRF PoC — Generated By AppSec Labs csrf-generator</title>
</head><body>
<form action=”https://redacted.com/projects/#createproject/sampleproject/webproject.com">
<input type=’submit’ value=’Go!’ />
</form>
</body></html>

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store