There are certain cases where the CSRF tokens are injected into forms and sensitive URLs but are rarely checked and validated on the server side.
That being said, I recall a CSRF vulnerability in Facebook's AppCenter, uncovered by an Indian researcher called Amol Naik, in which he explained how he managed to bypass the AppCenter authentication (the AppCenter is basically a marketplace from which users can install different apps/games to their Facebook profile).
In the authentication phase Amol saw that Facebook was correctly sending their anti-CSRF token fb_dtsg
alongside the approval request, however, on the server side, the request was not getting validated and was ignored, which simply meant that their token was of no use at all. Amol proceeded and removed the fb_dtsg
parameter from the request altogether and the AppCenter app was still getting accepted.
So, while testing an application, we should always try to remove the CSRF token parameter/header from...