Figure: For more information read the following paper. In this assignment try to see if WebGoat is also vulnerable for a login CSRF attack. Leave this tab open and in another tab create a user based on your own username prefixed with csrf- . So if your username is tom you must create a new user called csrf-tom. Login CSRF from Robust Defenses for Cross-Site Request Forgery Login as the new user. This is what an attacker would do using CSRF. Then click the button in the original tab. Because you are logged in as a different user, the attacker learns that you clicked the button. Press the button below when your are logged in as the other user Solved!

Database System Concepts
7th Edition
ISBN:9780078022159
Author:Abraham Silberschatz Professor, Henry F. Korth, S. Sudarshan
Publisher:Abraham Silberschatz Professor, Henry F. Korth, S. Sudarshan
Chapter1: Introduction
Section: Chapter Questions
Problem 1PE
icon
Related questions
Question

WebGoat write up(Cross-Site Request Forgeries 8 Login CSRF attack)

 

Please provide the html code for bypassing and solving the above problem

 

Note: Show the code, output and explanation for thumbs up

(A5) Broken Access Control
(A7) Cross-Site Scripting (XSS)
(A8) Insecure Deserialization
(A9) Vulnerable Components
(A8:2013) Request Forgeries
Cross-Site Request Forgeries
Server-Side Request Forgery
Client side
Challenges
>
>
>
>
>
>
>
Login CSRF attack
In a login CSRF attack, the attacker forges a login request to an honest site using the attacker's username and password at that site. If the forgery succeeds, the
honest server responds with a Set-Cookie header that instructs the browser to mutate its state by storing a session cookie, logging the user into the honest site
as the attacker. This session cookie is used to bind subsequent requests to the user's session and hence to the attacker's authentication credentials. Login
CSRF attacks can have serious consequences, for example see the picture below where an attacker created an account at google.com the victim visits the
malicious website and the user is logged in as the attacker. The attacker could then later on gather information about the activities of the user.
www.attacker.com
Victim Browser
GET /blog HTTP/1.1
<form action=https://www.google.com/login
method=POST target=invisibleframe>
<input name username value-attacker>
POST /login HTTP/1.1
Referer: http://www.attacker.com/blog
www.google.com
Transcribed Image Text:(A5) Broken Access Control (A7) Cross-Site Scripting (XSS) (A8) Insecure Deserialization (A9) Vulnerable Components (A8:2013) Request Forgeries Cross-Site Request Forgeries Server-Side Request Forgery Client side Challenges > > > > > > > Login CSRF attack In a login CSRF attack, the attacker forges a login request to an honest site using the attacker's username and password at that site. If the forgery succeeds, the honest server responds with a Set-Cookie header that instructs the browser to mutate its state by storing a session cookie, logging the user into the honest site as the attacker. This session cookie is used to bind subsequent requests to the user's session and hence to the attacker's authentication credentials. Login CSRF attacks can have serious consequences, for example see the picture below where an attacker created an account at google.com the victim visits the malicious website and the user is logged in as the attacker. The attacker could then later on gather information about the activities of the user. www.attacker.com Victim Browser GET /blog HTTP/1.1 <form action=https://www.google.com/login method=POST target=invisibleframe> <input name username value-attacker> POST /login HTTP/1.1 Referer: http://www.attacker.com/blog www.google.com
Figure: Login CSRF from Robust Defenses for Cross-Site Request Forgery
For more information read the following paper.
In this assignment try to see if WebGoat is also vulnerable for a login CSRF attack. Leave this tab open and in another tab create a user based on your own
username prefixed with csrf- . So if your username is tom you must create a new user called csrf-tom.
Login as the new user. This is what an attacker would do using CSRF. Then click the button in the original tab. Because you are logged in as a different user, the
attacker learns that you clicked the button.
Press the button below when your are logged in as the other user
Solved!
Transcribed Image Text:Figure: Login CSRF from Robust Defenses for Cross-Site Request Forgery For more information read the following paper. In this assignment try to see if WebGoat is also vulnerable for a login CSRF attack. Leave this tab open and in another tab create a user based on your own username prefixed with csrf- . So if your username is tom you must create a new user called csrf-tom. Login as the new user. This is what an attacker would do using CSRF. Then click the button in the original tab. Because you are logged in as a different user, the attacker learns that you clicked the button. Press the button below when your are logged in as the other user Solved!
Expert Solution
trending now

Trending now

This is a popular solution!

steps

Step by step

Solved in 4 steps

Blurred answer
Knowledge Booster
Network Security
Learn more about
Need a deep-dive on the concept behind this application? Look no further. Learn more about this topic, computer-science and related others by exploring similar questions and additional content below.
Similar questions
Recommended textbooks for you
Database System Concepts
Database System Concepts
Computer Science
ISBN:
9780078022159
Author:
Abraham Silberschatz Professor, Henry F. Korth, S. Sudarshan
Publisher:
McGraw-Hill Education
Starting Out with Python (4th Edition)
Starting Out with Python (4th Edition)
Computer Science
ISBN:
9780134444321
Author:
Tony Gaddis
Publisher:
PEARSON
Digital Fundamentals (11th Edition)
Digital Fundamentals (11th Edition)
Computer Science
ISBN:
9780132737968
Author:
Thomas L. Floyd
Publisher:
PEARSON
C How to Program (8th Edition)
C How to Program (8th Edition)
Computer Science
ISBN:
9780133976892
Author:
Paul J. Deitel, Harvey Deitel
Publisher:
PEARSON
Database Systems: Design, Implementation, & Manag…
Database Systems: Design, Implementation, & Manag…
Computer Science
ISBN:
9781337627900
Author:
Carlos Coronel, Steven Morris
Publisher:
Cengage Learning
Programmable Logic Controllers
Programmable Logic Controllers
Computer Science
ISBN:
9780073373843
Author:
Frank D. Petruzella
Publisher:
McGraw-Hill Education