WebGoat/webapp/lesson_plans/English/CsrfTokenByPass.html

<div align="Center"> 
<p><b>Lesson Plan Title:</b>CSRF Token Prompt By-Pass</p><br/>
 </div>
 
<p><b>Concept / Topic To Teach:</b> </p>
This lesson teaches how to perform CSRF attacks on sites that use tokens to mitigate CSRF attacks, but are vulnerable to CSS attacks.
 <br> 
<div align="Left"> 
<p>
<b>How the attacks works:</b>
</p>
<p>
Cross-Site Request Forgery (CSRF/XSRF) is an attack that tricks the victim into 
loading a page that contains a 'forged request' to execute commands with the 
victim's credentials.  </p>

<p>Token-based request authentication mitigates these attacks.  This technique 
inserts tokens into pages that issue requests.  These tokens are required to 
complete a request, and help verify that requests are not scripted.  CSRFGuard from OWASP uses 
this technique to help prevent CSRF attacks.</p>

<p>However, this technique can be by-passed if CSS vulnerabilities exist on the same site.  
Because of the same-origin browser policy, pages from the same domain can read content from 
other pages from the same domain.  </p>

</div>
<p><b>General Goal(s):</b> </p>
<!-- Start Instructions -->
Similar to the CSRF Lesson, your goal is to send an email to a newsgroup that contains a malicious 
request to transfer funds.  To successfully complete you need to obtain a valid request token.  
The page that presents the transfer funds form contains a valid request token.  The URL for the 
transfer funds page is the same as this lesson with an extra parameter "transferFunds=main". Load 
this page, read the token and append the token in a forged request to transferFunds. When you think
the attack is successful, refresh the page and you will find the green check on the left hand side menu.<br/>
<b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b>
<!-- Stop Instructions -->