Exercise: Cross Site Request Forgery - CSRF

Solutions for this exercise

Create CSRF pages

Logout of the Marks Manager

  • Create a test directory for CSRF in the documentroot of your Apache Server (localhost:80 that you installed for the Guestbook).
  • Create a page, Displaying "Hello World" (or anything you want).
  • In your page, insert an image (<img src="">) tag inside your page.
  • In the application for managing the marks of the example school (Marks Manager) see how the logout works (which request, which method, which credentials, ...)
  • Using a tool for monitoring the requests of your browser ("Web Development Tools" if you use Firefox), see which request is sent by the browser to logout from the server.
  • Modify your the src attribute of your image, to logout from the marks manager any person visiting your page.
  • Write a mail containing a link to your page that you send to one of the other students (it works only if your page in available from the internet).

Change marks inside the Marks Manager

  • Create a page with a POST form sending dummy data. With a "submit" button.
  • Create a page containing an iframe pointing to the page containing the POST form. Make the button in the iframe visible
  • Note which requests is sent by the browser to set the marks of a class.
  • Update your POST form to send that request.
  • Write a mail containing the link to your page and explaining to the secretary why she should click the button.

Force logout out of IS-A

  • Write a page, that logs out automatically someone from the IS-Academia web site is-a.bfh.ch.
    • Testing more CSRF on IS-A is totally forbidden!
    BACK TO TOP © 2014-2021 Emmanuel Benoist