CSRF Token Bypasss — A Tale of my $2k bug

Adeyefa Oluwatoba
Dec 23, 2019 · 2 min read

This is a short story of my first critical bug, a CSRF Token bypass which could lead to account take over.

I found this bug in my first 15 minutes of testing the site. I had just gotten an invite into a new private program on HackerOne and found that they’d only resolved 3 bugs.

Since it’s a private program and the bug has yet to be resolved I can’t disclose the name of the site, let’s just call it redacted.com .

The first thing I tested for was CSRF Token Bypass. I tried different tricks from deleting the token, changing the request method, changing just a letter in the token, using another users token etc. Nothing worked, then I remembered a trick I read in an article sometimes ago, I tried to find the article again but I couldn’t. I would have linked to it here.

The trick is simple, in this case the CSRF Token is sent in two parameters in the request, in my case it was in an header and in the cookie. The application failed to check the validity of the token properly, it only checked if the token in the header matched what was in the cookie. If it matched the request is successful. What this means is that a wrong/invalid CSRF Token can be used as long as the value in the header matches the value in the cookie. I tested with random values as the CSRF Token and the request was successful.

This vulnerability was site wide and it affected critical functionalities like changing users password from dashboard, changing email/account details etc.

I did some further testing to confirm the vulnerability and submitted. The site also had a CORS misconfiguration that allowed requests from all origins, I was able to use this to successfully exploit it. Got a reply from the team and was awarded $2k. This is my highest bounty in my 2 months of bug bounty.

Lesson Learnt — Read a lot of articles & disclosed reports, keep testing & keep hunting. A big thanks to the infosec & bug bounty community, I learn a lot from your articles and disclosed reports. Hopefully someone somewhere will learn something from my article.

This is my first article on bug bounty & infosec, I look forward to writing more articles on new bugs I find.

Merry Christmas & Happy Bug Hunting.

Written by

Full Stack web developer. I love learning new thing, open to new opportunities and experiences.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade