Professional Documents
Culture Documents
20CSP-338
Submitted for the requirement of
Lab Course
ii
Param Sahai
20BCS5964
Experiment 1.3
ATTACK SURFACES: The attack surfaces for CSRF are mostly HTTP requests that cause a change in
something related to the victim, for example: name, email address, website and even password. It is sometimes
used to alter the state of authentication as well. (Login CSRF, Logout CSRF) which are less severe but can still be
problematic in some cases.
EXPLOITATION:
Consider a website example.com and the attacker’s website evil.com. Also assume that the victim is logged in
and his session is being maintained by cookies. The attacker will:
i. Find out what action he needs to perform on behalf of the victim and find out its endpoint (for example,
to change password on target.com a POST request is made to the website that contains new password as
the parameter.)
ii. Place HTML code on his website evil.com that will imitate a legal request to target.com (for example, a
form with method as post and a hidden input field that contains the new password).
iii. Make sure that the form is submitted by either using “autosubmit” or luring the victim to click on a
submit button.
When the victim visits evil.com and that form is submitted, the victim’s browser makes a request to target.com
for a password change. Also the browser appends the cookies with the request. The server treats it as a genuine
request and resets the victim’s password to the attacker’s supplied value. This way the victim’s account gets
taken over by the attacker.
1
Akshat Chauhan
20BCS5931
Fig 1.3.1 (How does a CSRF attack works)
2
Akshat Chauhan
20BCS5931
3. Steps for experiment:
i. Install WebGoat on kali-linux and register as a new user. From the menu select Cross Site Request Forgery.
3
Akshat Chauhan
20BCS5931
ii. Now click on “Submit Query” button, we should get redirected to following page.
4
Akshat Chauhan
20BCS5931
iii. Right click on “Submit Query” button and choose inspect. See exactly where form is going to. Now craft
own html form which looks exactly same as this form.
5
Akshat Chauhan
20BCS5931
iv. Now open the form in new tab. Here the submit query will be displayed to the victim.
v. Once the victim clicks the submit query that is it, as quickly as this we are able to launch the attack by using
a separate form.
6
Akshat Chauhan
20BCS5931
vi. We can take this attack to next level. To do so we can copy the HTML file we created and paste it into our
own web application server and we can host it very quickly. Now we have hosted our hacking server, which
has the fake form.
Evaluation Grid (To be created as per the SOP and Assessment guidelines by the faculty):
7
Akshat Chauhan
20BCS5931