Anti-CSRF Tokens are a way that allows the server to uniquely distinguish who actually requests the resource/action to be performed saving against CSRF attacks. However, due to weak implementation in the application, there are several ways to bypass Anti-CSRF Tokens such as:

• Remove Anti-CSRF Token
• Spoof Anti-CSRF Token by Changing a few bits
• Using Same Anti-CSRF Token
• Weak Cryptography to generate Anti-CSRF Token
• Guessable Anti-CSRF Token
• Stealing Token with other attacks such as XSS.
• Converting POST Request to GET Request to bypass the CSRF Token Check. (This is what we will see for this article)

P.S.: There may be other bypasses available. I mentioned some I remembered on the Top of my Head. If you know any other, Please drop in Responses to help the Readers or maybe leave a note so that I can update this list with proper credits. :)

So let’s call the target as target.com. After fiddling across with the application, I found /editprofile endpoint which has the request like this:

POST /editprofile HTTP/1.1
Host: target.com
<redacted>username=test&description=<some_text>&phone=1231231231&anti_csrf=<token>

Since you can observe that the anti_csrf token is present and the server is validating if the Token is missing or forged. So basically no luck. Then I simply changed the Request Method from POST to GET & removed anti_csrf parameter and forged request looked like:

GET /editprofile?username=test&description=<some_text>&phone=1231231231 HTTP/1.1
Host: target.com
<redacted>

And we were able to bypass it successfully. CSRF exploited.

But, wait, it has low severity because we are still not able to do much other than changing some profile information. After looking for more stuff, I checked Password Reset Functionality but again it was asking for the Current Password before being able to change the password. So the original Password change request looks like this:

POST /changepassword HTTP/1.1
Host: target.com
<redacted>current_password=currentpassword&new_password=new_password&confirm_password=new_password&anti_csrf=<token>

So, I simply removed the current_password field and it successfully reset the password.

So now we have two things:

1. Way to Bypass and Perform Bypass
2. Way to Bypass Current Password on Password Change

Now, we can simply chain the issues to change the password of victim user using CSRF, the forged request will look like:

GET /changepassword?new_password=new_password&confirm_password=new_password HTTP/1.1
Host: target.com
<redacted>

Simply use Burp Suite to generate a CSRF PoC or you may use your own way to do it and send it to the victim. Once the victim navigates to the attacker's crafter URL, his password will be changed.

Initial Severity of Medium is now HIGH.