The objective of this lab is to help students understand the Cross-Site Request
Forgery (CSRF or XSRF) attack. A CSRF attack involves a victim user, a
trusted site, and a malicious site. The victim user holds an active session
with a trusted site while visiting a malicious site. The
malicious site injects an HTTP request for the trusted site into the victim
user session, causing damages.
In this lab, students will be attacking a social networking web
application using the CSRF attack. The open-source social networking application called
countermeasures against CSRF, but we have turned them off for the
purpose of this lab.
- Supervised situation (e.g. a closely-guided lab session):
- Unsupervised situation (e.g. take-home project):
- Since May 5 2019, the Firefox Add-on "HTTP Header Live" has been disabled
by Firefox, Mozilla verifies and signs add-ons that follow a set of security
guidelines (link). The version of HTTP Header Live (v 0.6 - Last Updated
April 9, 2018) installed on the VM does not comply with this security
guideline, so it was automatically disabled. The issue can be easily resolved
by installing the latest version of HTTP Header Live (v 0.6.5.1 - Last Updated May 25, 2019).