Introduction — CSRF:

CSRF(Cross-Site Request Forgery) is a kind of web application vulnerability, using this a malevolent can forge the HTTP request without the actual user knowledge. This will result in a serious security flaw in the web application.

In this write up I will explain how to identify the JSON CSRF vulnerability and the challenge I face to escalate this bug in a recent project.

Generally, the JSON CSRF is not always possible in every web application that uses the JSON body. Mainly it depends on the authentication mechanism. To identify this, we have to make sure that the HTTP request satisfies the below conditions.

The authentication mechanism should be in the cookie-based model. (By default cookie-based authentication is vulnerable to CSRF attacks) The HTTP request should not be fortify by the custom random token on the header as well in the body. The HTTP request should not be fortify by the Same Origin Policy.

“If the above conditions were satisfied we can directly forge the JSON request by simply making an Ajax request from the other Origin.”

Note: These are the primary conditions to achieve the CSRF in JSON. But It is possible to exploit the JSON CSRF even though 2nd and 3rd points are not satisfied.

Challenges I faced to exploit the JSON CSRF in recent Bug Bounty:

Observation:

Whenever I test the web application, I carefully observe the authentication mechanism of the application. If that is cookie-based authentication then I directly look for the CSRF vulnerability.

As I said above, the below request satisfied by the 1st point. But the 2nd and 3rd were not satisfied. The request is fortified by the custom token that specified by the ‘X-Auth-Token’ header and also validating the Origin header. Please carefully observe the below images.

Generally, I follow the bug bounty tips on twitter. So, I have some other test cases to check the fortified mechanism of the request.

Those tips are:

Change the request method to GET append the body as query parameter.

Test the request without the Customized Token and also header.

Test the request with exact same length but different token.

Luckily the 2nd tip is worked for me :)

The application is accepting the request without the “X-Auth-Token:” header in the request.