The easter bunny came by Zerocopter’s offices today and while he didn’t leave any eggs, he did leave 5 ways to bypass CSRF protection for you!
1. Verify that the token is really random.
The CSRF token isn’t always as random as it seems to be. For example, does "c4ca4238a0b923820dcc509a6f75849" look like a good CSRF token to you?
If you think that is does….. c4ca4238a0b923820dcc509a6f75849 is the md5 equivalent of "1". Doing a quick Google Search for a CSRF token might help you to gain more information about how the tokens are generated.
2. Cookie injection
Sometimes the CSRF token is stored in a cookie. When there is a vulnerability that allows you to set/read a cookie, for example a cross-site scripting or a HTTP response splitting scenario, you might be able to overwrite the existing token with a weak one.
3. Cross-site scripting
With a cross-site scripting you are allowed to read content from the same domain, so you are likely able to read the CSRF token from CSRF protected post.
4. Overly CSRF protection
A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat, permission to handle data across domains. If the cross-domain file is configured weakly -with for example a wildcard ("*") or an expired domain- it might be possible to read the CSRF token using a simple flash file.
- Olivier Beg