:blank: pass:[ +]

== Login CSRF attack

In a login CSRF attack, the attacker forges a login request to an honest site using the attacker’s username 
and password at that site. If the forgery succeeds, the honest server responds with a `Set-Cookie` header 
that instructs the browser to mutate its state by storing a session cookie, logging the user into
the honest site as the attacker. This session cookie is used to bind subsequent requests to the user’s session and hence
to the attacker’s authentication credentials. Login CSRF attacks can have serious consequences, for example 
see the picture below where an attacker created an account at google.com the victim visits the malicious
website and the user is logged in as the attacker. The attacker could then later on gather information about
the activities of the user.

{blank}

image::images/login-csrf.png[caption="Figure: ", title="Login CSRF from Robust Defenses for Cross-Site Request Forgery", width="800", height="500", style="lesson-image" link="http://seclab.stanford.edu/websec/csrf/csrf.pdf"]

{blank}
For more information read the following http://seclab.stanford.edu/websec/csrf/csrf.pdf[paper].

In this assignment try to see if WebGoat is also vulnerable for a login CSRF attack.
Leave this tab open and in another tab create a user based on your own username prefixed with `csrf-`.
So if your username is `tom` you must create a new user called `csrf-tom`.

Login as the new user. This is what an attacker would do using CSRF. Then click the button in the original tab.
Because you are logged in as a different user, the attacker learns that you clicked the button.