34 lines
1.7 KiB
HTML
34 lines
1.7 KiB
HTML
<div align="Center">
|
|
<p><b>Lesson Plan Title:</b>CSRF User Prompt By-Pass</p><br/>
|
|
</div>
|
|
|
|
<p><b>Concept / Topic To Teach:</b> </p>
|
|
This lesson teaches how to perform CSRF attacks that by-pass user confirmation prompts.
|
|
<br>
|
|
<div align="Left">
|
|
<p>
|
|
<b>How the attacks works:</b>
|
|
<p>
|
|
Cross-Site Request Forgery (CSRF/XSRF) is an attack that tricks the victim into loading a page
|
|
that contains a 'forged request' to execute commands with the victim's credentials. Prompting
|
|
a user to confirm or cancel the command might sound like a solution, but can be by-passed if
|
|
the prompt is scriptable. This lesson shows how to by-pass such a prompt by issuing another
|
|
forged request. This can also apply to a series of prompts such as a wizard or issuing multiple
|
|
unrelated forged requests.</p>
|
|
|
|
|
|
</div>
|
|
<p><b>General Goal(s):</b> </p>
|
|
<!-- Start Instructions -->
|
|
Similar to the CSRF Lesson, your goal is to send an email to a newsgroup that contains multiple
|
|
malicious requests: the first to transfer funds, and the second a request to confirm the prompt
|
|
that the first request triggered. The URL should point to the CSRF lesson with an extra
|
|
parameter "transferFunds=4000", and "transferFunds=CONFIRM". You can copy the shortcut from the
|
|
left hand menu by right clicking on the left hand menu and choosing copy shortcut. Whoever
|
|
receives this email and happens to be authenticated at that time will have his funds transferred.
|
|
When you think the attack is successful, refresh the page and you will find the green check on
|
|
the left hand side menu.<br/>
|
|
<b>Note that the "Screen" and "menu" GET variables will vary between WebGoat builds. Copying the menu link on the left will give you the current values.</b>
|
|
<!-- Stop Instructions -->
|
|
|