CSRF test by replacing with invalid csrf token

Vulnerability assessment by replacing the CSRF token with an invalid one

Broken User Authentication (BUA)

Impact of the vulnerability

"Successful execution of unauthorized actions due to the absence of CSRF token may result in severe consequences," "such as unauthorized data modification, account hijacking, or sensitive information disclosure," "highlighting critical vulnerabilities and emphasizing the need for robust CSRF protection measures."

How this template works

APIs Selection

The template uses API selection filters to specify the criteria for selecting requests to be executed. It filters requests based on the response code being between 200 and 300, or if the request headers, payload, or query parameters contain the keyword "csrf". It also extracts the value of the "csrf" key if found.

Execute request

The template executes a single request by modifying the header, query parameter, and body parameter with a specific value for the "csrf_key". This is done to intentionally replace the CSRF token and assess the effectiveness of the web application's CSRF protection mechanism.

Validation

The template validates the response received from the executed request. It checks if the response code is between 200 and 300, and if the response payload matches at least 80% of the expected payload. Additionally, it checks if the response payload has a length greater than 0. These validation criteria ensure that the unauthorized actions executed due to the absence of a valid CSRF token are successfully detected.

Frequently asked questions

What is the purpose of this test

What are the potential consequences of successful execution of unauthorized actions due to the absence of a CSRF token

What category and subcategory does this test fall under

What is the severity level of this test

What are the selection filters used to identify relevant API requests for this test

What modifications are made to the API requests during the execution of this test

Loved by security teams!

"We are absolutely thrilled with the testing feature of Akto. We have used it on our graphQL endpoints and it performs flawlessly identifying common API security issues. It's truly a game-changer and we highly recommend Akto to anyone looking to effortlessly secure their API endpoints. With a user-friendly interface, it's the perfect solution for anyone looking to embrace custom rules with context to reduce false positives."

Security team,

Loom

Security team,

Loom

"The text editor in Akto is absolutely remarkable. Its user-friendly YAML format strikes the perfect balance between simplicity and power. With intuitive features like 'API selection filter', 'Execute', Validate' creating test rules becomes incredibly easy. Akto's test editor is a game-changer, enabling seamless creation of highly personalized and effective tests that could meet the needs of any modern day organization. "

Security team,

Rippling

Explore other tests

JWT authentication bypass via jku header injection

CSRF Login attack

JWT Failed to verify Signature

JWT None Algorithm

Broken Authentication by removing auth token

CSRF test by removing csrf token

Learn more:

API security tests

9 mins

Exploring Cross-Site Request Forgery (CSRF) vulnerabilities: Still a threat!

OWASP top 10

10 min read

What's changed in OWASP API Security Top 10 2023 Release Candidate from 2019?

Suggest API security tests

We're actively building the test library. Suggest a test! If we like your suggestion, you will see it in the library in few days.