1

I found that a website protects itself of CSRF attacks by validating the POST request contains a specific header:

-Example-header: GF

What i find strange is that this header doesn't have a csrf token in it, it is just a custom header with a 2 letters value that validates the POST request.

When i try to add it in the HXR request it executes as OPTIONS instead of POST and the attack fails. is there any way to bypass this? i find this kind of stupid because why other websites implementing a personal large token in the custom header, if by adding a simple header with a short value the requests preflights???

The html and javascript was made with burp suite professional and it worked, but then adding the special header preflights the request.

EDIT: i am making a new post because maybe there is a way to bypass this and the other post is 7 years old and doesn't answer my question. there are some tricks like deleting the content-type in request, etc. that might do the trick.

Mr. ToxicMan
  • 115
  • 1
  • 8
  • 3
    Does this answer your question? [CSRF protection with custom headers (and without validating token)](https://security.stackexchange.com/questions/23371/csrf-protection-with-custom-headers-and-without-validating-token) – Xavier59 Dec 09 '19 at 15:19
  • i took a look at it before posting. it didn't answer my question and is too old... 7 years in this field and everything changes. Also i pentest a lot of websites and most of them do have a long custom token apart from the custom header... so why the custom header if the custom header alone is enough? – Mr. ToxicMan Dec 09 '19 at 15:32
  • The answer is still relevant for now, indeed in this field in 7 years a lot can happen but on this fields it hasn't much. About the long custom token, I think the first answer explain it pretty well : _Security is about defence in depth. Simply checking the value is sufficient at the moment_ – Xavier59 Dec 09 '19 at 15:35
  • the first answer says "...Testing for the presence of a token achieves the absolute minimum defence necessary to deal with current attacks.". But in my case it doesn't check the value or anything... just that the header is present. but i can't add it in the XHR because it preflights. – Mr. ToxicMan Dec 09 '19 at 15:38
  • 1
    *"... but i can't add it in the XHR because it preflights"* - exactly this is the point: you cannot make an XHR with it and you cannot make a normal request with this custom header. – Steffen Ullrich Dec 09 '19 at 15:46
  • So we can say the the value after the custom header is for nothing? (without thinking of chaining it with XSS). – Mr. ToxicMan Dec 09 '19 at 16:15
  • It is defense in depth so that if the first layer (custom header cannot be sent in a cors request) happened to be flawed, your application will still be protected against csrf please to the random value associated with the header. – Xavier59 Dec 09 '19 at 21:33

0 Answers0