[ Hacker Night School ] :: CSRF

Cross Site Request Forgery

CSRF is a very specialized form of XSS. It relies on the victim being logged into a site, so the attacker can make a false request – to drain the victim’s bank account, for instance.

Where to Learn

First, read this OWASP presentation:
http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20OWASP%20Cross-site%20Request%20Forgery%20CSRF.pdf

Next, webpwnized is your friend. Watch these videos:

Cross-Site Request Forgery Explained – Part 1: Basic CSRF

https://www.youtube.com/watch?v=rR0SnARknlk

Cross-Site Request Forgery Explained – Part 2: Advanced CSRF

https://www.youtube.com/watch?v=xBWqIh6wSz8

Using Burp-Suite Sequencer to Compare CSRF-token strengths

Test Your Skills

https://www.root-me.org/en/Challenges/Web-Client/CSRF-token-bypass

Mutillidae

Assignments

  1. Watch the videos.
  2. Do the hacks.