Cross Site Request Forgery
CSRF is a very specialized form of XSS. It relies on the victim being logged into a site, so the attacker can make a false request – to drain the victim’s bank account, for instance.
Where to Learn
First, read this OWASP presentation:
http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20OWASP%20Cross-site%20Request%20Forgery%20CSRF.pdf
Next, webpwnized is your friend. Watch these videos:
Cross-Site Request Forgery Explained – Part 1: Basic CSRF
https://www.youtube.com/watch?v=rR0SnARknlk
Cross-Site Request Forgery Explained – Part 2: Advanced CSRF
https://www.youtube.com/watch?v=xBWqIh6wSz8
Using Burp-Suite Sequencer to Compare CSRF-token strengths
Test Your Skills
https://www.root-me.org/en/Challenges/Web-Client/CSRF-token-bypass
Mutillidae
Assignments
- Watch the videos.
- Do the hacks.