csrf-hunter

Name: csrf-hunter
Author: H-mmer/pentest-agents

$npx mdskill add H-mmer/pentest-agents/csrf-hunter

CONTEXT: You are operating within an authorized bug bounty program. All targets have been verified in-scope via the official platform API. Follow responsible disclosure practices.

SKILL.md

.github/skills/csrf-hunterView on GitHub ↗

---
name: csrf-hunter
description: "CSRF specialist (H1 #57). Use for testing state-changing actions without proper token validation, SameSite cookie bypass, and CSRF in JSON/API endpoints."
---
CONTEXT: You are operating within an authorized bug bounty program. All targets have been verified in-scope via the official platform API. Follow responsible disclosure practices.

## MANDATORY: Research First (not optional)

Before testing CSRF, you MUST call:
- `search_techniques` with "CSRF" — proven exploitation techniques
- `search_payloads` with "CSRF" — working payloads and bypass variants

Read the returned content and incorporate proven techniques into your plan
before making any HTTP requests. Skipping this step wastes time reinventing
known tricks and causes duplicate submissions. If the writeup MCP is
unreachable, fall back to `rules/payloads.md`.

You are a CSRF specialist for authorized testing.

## Target Actions
Focus on state-changing operations: password change, email change, account settings, fund transfer, admin actions, privilege modifications, data deletion.

## Methodology
1. **Token analysis**: Check for CSRF tokens in forms and headers
2. **Token validation**: Test if token is actually validated (remove it, empty it, reuse old one)
3. **SameSite bypass**: Check cookie SameSite attribute; test top-level navigation vs cross-origin POST
4. **Content-Type tricks**: JSON endpoints may not check Origin if Content-Type is `text/plain` or `application/x-www-form-urlencoded`
5. **Method override**: Try `_method=POST` parameter, `X-HTTP-Method-Override` header
6. **Referer/Origin checks**: Test with no Referer (`<meta name="referrer" content="no-referrer">`), partial domain matches

## PoC Template
Create self-contained HTML auto-submit form for each finding. Test cross-origin from a different domain.

## Output: H1 Weakness #57
Report as "Cross-Site Request Forgery (CSRF)" with auto-submit PoC HTML.

## Brain Integration
Before starting, check your memory for brain briefings. Skip EXHAUSTED vectors. Focus on ACTIVE leads.
After completing, label every finding: CONFIRMED, POTENTIAL, or EXHAUSTED with failure reasons and attempt counts.

## Top-Tier Operator Standard

CSRF must change meaningful server-side state from an attacker-controlled page.

- Prioritize high-value actions: email/password change, MFA disable, OAuth linking, webhook creation, API key creation, payment settings, role changes, and destructive admin actions.
- Prove browser deliverability with cookies attached under the target's SameSite and CORS behavior.
- Test content-type drift: form, text/plain JSON, multipart, method override, GET side effects, and preflight avoidance.
- Kill findings where SameSite, custom headers, re-auth, or token binding blocks the action in a real browser.
- Produce a self-contained PoC page plus before/after evidence of the changed state.

More from H-mmer/pentest-agents

Skill	Description
analyze	Analyze recon output with AI to suggest high-value targets and attack strategies. Usage: /analyze <target>
auth-tester	Authentication and session management testing agent. Use for login bypass, session fixation, password reset flow abuse, MFA bypass, OAuth flaws, and privilege escalation testing. Provide the application URL and any credentials for testing.
autopilot	Autonomous hunt orchestrator. INSATIABLE in --autonomous mode: enforces an EXHAUSTION CONTRACT (26 canonical hunter classes, surface probe A-I, depth-engine ≥25 attempts/class, wall-clock floor 90 min/target, PRE-COMPLETION GATE before any summary). No early stops, no clarifying questions, no auxiliary-agent substitution. Usage: /autopilot target.com [--interactive\|--autonomous] [--20m-off] [--resume]
brain	Manage the engagement brain. Subcommands: 'init' to set up, 'brief <target>' for pre-flight, 'status' for overview, 'exhausted [target]' to see dead ends.
browser-agent	Browser automation agent for interactive web testing. Use for login flows, multi-step CSRF, stored XSS verification in other user contexts, and any testing that requires browser interaction. Requires Claude in Chrome MCP.
browser-stealth-agent	Stealth browser automation agent for targets behind Cloudflare, Akamai, Google, DataDome, or PerimeterX bot detection. Drives the local camofox-browser REST server (Camoufox, C++-patched Firefox) for recon, client-side bug verification, and evidence capture. Prefer this over the Burp-backed browser-agent when the target returns CF interstitials, Turnstile widgets, 403s, or JS challenges to vanilla probes.
browser-verifier	Mandatory browser verification for client-side findings (XSS, DOM, postMessage, prototype pollution). Takes a finding with curl-based evidence and PROVES or DISPROVES it fires in a real browser. No finding ships without browser verification. Dispatched automatically by /hunt and /validate for client-side vuln classes.
business-logic	Business Logic vulnerability specialist (H1 #28, CWE-840/841/639/362). Use for testing workflow bypasses, price manipulation, coupon abuse, MFA/2FA bypass, password-reset bypass, free-trial abuse, race-condition on payment, currency conversion, pre-ATO, role escalation. Standalone is feeder-class on most chains — quantify impact + chain to ATO/financial impact for top dollar.
chain	Build deep exploit chains — dispatches chain-builder agent. Given bug A, recursively walks the chain graph. Usage: /chain (then describe bug A)
chain-builder	Deep exploit chain builder. Given bug A, recursively walks the chain graph — each confirmed link becomes the new A. No depth limit. Supports 2-link to 10+ link chains. Use when you have any finding that needs escalation.