A10:2021 | Server Side Request Forgery | Cross Site Request Forgery (3) | Cycubix Docs
Last updated
Last updated
Trigger the form below from an external source while logged in. The response will include a 'flag' (a numeric value).
Confirm Flag
Confirm the flag you should have gotten on the previous page below.
Solution
With VC and HTML
Hints: The form has hidden inputs. You will need to use an external page and/or script to trigger it. Try creating a local page or one that is uploaded and points to this form as its action. The trigger can be manual or scripted to happen automatically.
If we hit the button submit we can see a message that says that the request its coming from the form itself.
If we open the developer tools we can see the imputs the form has.
To create your own fake page go into visual code, create an HTML with the following code:
Save the file as a fakepage.html. Go to WebWolf and upload the file. You sill see that the file will open in a new tab, and you will see the submit button. Once you do that, you will see a JSON message with the flag number: copy and paste the flag number in WebGoat's lesson.
With Engagement Tools on BurpSuite
There is a tool (Pro Version only) that allows you to create a HTML based on the POST request.