Initial cut on CSRF. More to come

webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Basic_Get-1.adoc

@@ -0,0 +1,3 @@
+== Confirm Flag
+
+Confirm the flag you should have gotten on the previous page below.

webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Basic_Get.adoc

@@ -0,0 +1,9 @@
+== The Base Form
+
+The form below has hidden elements and submits to an action of TBD.  You can try it out and watch what it does, but it won't get you the flag. Once you can
+
+Every attack in this lesson will need to be done through another page or site. To see your progress, you will need to reload the
+pages or re-navigate back through the lesson to see your progress.
+
+Just to get your feet wet, issue a request to _SERVER_/WebGoat/csrf/basic-get-flag with a parameter named 'csrf' equal to 'true'. Your request needs to
+come from a local file or be hosted on a different website.

webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_GET.adoc

@@ -0,0 +1,10 @@
+== CSRF with a GET request
+
+This is the most simple CSRF attack to perform. For example you receive an e-mail with the following content:
+
+`<a href="http://bank.com/transfer?account_number_from=123456789&account_number_to=987654321&amount=100000">View my Pictures!</a>`
+
+If the user is still logged in to the website of bank.com this simple GET request will transfer money from one account to another.
+Of course in most cases the website might have multiple controls to approve the request.
+
+

webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_Get_Flag.adoc

@@ -0,0 +1,4 @@
+== Basic Get CSRF Exercise
+
+place holder ...
+

webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_intro.adoc

@@ -0,0 +1,27 @@
+=== What is a Cross-site request forgery?
+
+Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF
+(sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted
+from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF
+exploits the trust that a site has in a user's browser.
+
+A cross-site request forgery is a 'confused deputy' attack against a web browser. CSRF commonly has the following characteristics:
+
+* It involves sites that rely on a user's identity.
+* It exploits the site's trust in that identity.
+* It tricks the user's browser into sending HTTP requests to a target site.
+* It involves HTTP requests that have side effects.
+
+At risk are web applications that perform actions based on input from trusted and authenticated users without requiring the user to authorize
+the specific action. A user who is authenticated by a cookie saved in the user's web browser could unknowingly send an HTTP request to a site
+that trusts the user and thereby causes an unwanted action.
+
+A CSRF attack targets/abuses basic web functionality. If the site allows that causes a state change on the server, such as changing the victim's email address or password, or purchasing
+something. Forcing the victim to retrieve data doesn't benefit an attacker because the attacker doesn't receive the response, the victim does.
+As such, CSRF attacks target state-changing requests.
+
+Let's continue with some exercises to address way to perform a CSRF request.
+
+
+
+

webgoat-lessons/csrf/src/main/resources/lessonPlans/en/CSRF_plan.adoc

@@ -0,0 +1,10 @@
+= Cross-site request forgery (CSRF)
+
+== Concept
+
+This lesson teaches how to what a CSRF attack is and how it can be abused and protected against.
+
+== Goals
+
+* The user should have basic knowledge of JavaScript
+* The user will learn to perform a CSRF attack and how to protected against it.