CSRF Where to Look

1. State-Changing Endpoints

Look for actions that change data or account settings, not just fetch data.

Feature	Example Endpoint
Change email	/account/update-email
Change password	/account/change-password
Add/delete SSH keys	/account/ssh-keys/add
Add credit card	/billing/add-payment
Enable/disable 2FA	/security/2fa/toggle
Delete droplets	/droplets/delete
Add team members	/teams/invite
Create support ticket	Create support ticket
Change billing address	/billing/update-address

2. How to Discover These Endpoints

Using Burp Suite

1. Log in to (test account).
2. Enable Burp Proxy and start browsing.
3. Look in :
   • HTTP history → filter for POST, PUT, DELETE
   • Click each → observe payloads (Inspect the payloads and headers for token or referer behavior)

Developer Tools

1. Open browser DevTools → Network tab
2. Perform state-changing actions (e.g., change email, create resource, update email, add SSH key)
3. Filter XHR or Doc, watch for POST requests
4. Observe whether requests are POST, what headers they carry, and if a token is present

Check JavaScript / HTML

Look at :

• Forms: <form method="post">
• JS functions: fetch('/api/...', { method: 'POST' }) or axios.post(...)

3. Ignore These (Usually Not Vulnerable to CSRF)

• GETonly endpoints that don’t change data
• API endpoints requiring complex headers (e.g., Authorization: Bearer ...)
• Endpoints with strong CSRF tokens + SameSite=Strict cookies

4. Indicators of Missing/Broken CSRF Protection

Signal	Meaning
No CSRF token in the form or request	Likely vulnerable
Token exists but is static/guessable	Weak protection
Changing Origin or Referer doesn’t block request	Missing referer validation (Poor validation)
Cookie lacks SameSite attribute	High CSRF risk (Browser won’t help prevent CSRF)

5. Use This Checklist While Testing

• ❓ Does this action change any data?
• 📥 Does it use POST, PUT, or DELETE?
• 🔐 Is a CSRF token present?
• 🧩 Can you remove/bypass/strip the token?
• 🌐 Are there origin/referer checks?
• 🍪 Is SameSite cookie enforced?

6. Smart Tip : Look in the Account, Billing and Security Settings First

These are often :

• Behind auth
• Have critical impact
• Sometimes overlooked in CSRF protection
• Deal with sensitive actions
• Require authentication

Also test old UI endpoints, legacy APIs, or mobile API routes — these are sometimes reused without CSRF tokens.

Next Step for You

• Account Settings → try changing email, password, SSH keys
• Billing → try adding/editing payment methods
• API → check token creation/removal
• Support → try creating or deleting support tickets

➡️ Set Burp to intercept these actions and try removing tokens / crafting PoC forms to test.

While hunting on a live scope, If you test CSRF on :

• /api/* endpoints requiring Bearer tokens — waste of time
• Static pages or read-only GET requests — no value
• Well-protected forms using CSRF tokens & SameSite cookies — already mitigated

Focus instead on :

• Actions using POST/PUT/DELETE endpoints
• Logged-in user actions
• Endpoints/Forms missing CSRF tokens
• Legacy panels / old routes still in use
• Routes that work without origin/referer validation

Final Tip

When testing CSRF :

• Use DevTools or Burp to observe the real HTTP request.
• Capture what request happens when you change something
• Ask :
  • Is it POST/PUT/DELETE?
  • Is it state-changing?
  • Is a CSRF token present?
  • Are SameSite attributes set?
  • Can I trigger this from another origin?

Follow me for more real-world bug bounty breakdowns, pentest stories and tips from the trenches of offensive security.