Figure: For more information read the following paper. In this assignment try to see if WebGoat is also vulnerable for a login CSRF attack. Leave this tab open and in another tab create a user based on your own username prefixed with csrf- . So if your username is tom you must create a new user called csrf-tom. Login CSRF from Robust Defenses for Cross-Site Request Forgery Login as the new user. This is what an attacker would do using CSRF. Then click the button in the original tab. Because you are logged in as a different user, the attacker learns that you clicked the button. Press the button below when your are logged in as the other user Solved!

WebGoat write up(Cross-Site Request Forgeries 8 Login CSRF attack)

 

Please provide the html code for bypassing and solving the above problem

 

Note: Show the code, output and explanation for thumbs up

Transcribed Image Text:

(A5) Broken Access Control (A7) Cross-Site Scripting (XSS) (A8) Insecure Deserialization (A9) Vulnerable Components (A8:2013) Request Forgeries Cross-Site Request Forgeries Server-Side Request Forgery Client side Challenges > > > > > > > Login CSRF attack In a login CSRF attack, the attacker forges a login request to an honest site using the attacker's username and password at that site. If the forgery succeeds, the honest server responds with a Set-Cookie header that instructs the browser to mutate its state by storing a session cookie, logging the user into the honest site as the attacker. This session cookie is used to bind subsequent requests to the user's session and hence to the attacker's authentication credentials. Login CSRF attacks can have serious consequences, for example see the picture below where an attacker created an account at google.com the victim visits the malicious website and the user is logged in as the attacker. The attacker could then later on gather information about the activities of the user. www.attacker.com Victim Browser GET /blog HTTP/1.1 <form action=https://www.google.com/login method=POST target=invisibleframe> <input name username value-attacker> POST /login HTTP/1.1 Referer: http://www.attacker.com/blog www.google.com

Transcribed Image Text:

Figure: Login CSRF from Robust Defenses for Cross-Site Request Forgery For more information read the following paper. In this assignment try to see if WebGoat is also vulnerable for a login CSRF attack. Leave this tab open and in another tab create a user based on your own username prefixed with csrf- . So if your username is tom you must create a new user called csrf-tom. Login as the new user. This is what an attacker would do using CSRF. Then click the button in the original tab. Because you are logged in as a different user, the attacker learns that you clicked the button. Press the button below when your are logged in as the other user Solved!