Cross-Site Request Forgery Attack Lab
SEED Lab: A Hands-on Lab for Security Education
Overview
The objective of this lab is to help students understand the Cross-Site Request Forgery (CSRF or XSRF) attack. A CSRF attack involves a victim user, a trusted site, and a malicious site. The victim user holds an active session with a trusted site while visiting a malicious site. The malicious site injects an HTTP request for the trusted site into the victim user session, causing damages.
In this lab, students will be attacking a social networking web application using the CSRF attack. The open-source social networking application called Elgg has countermeasures against CSRF, but we have turned them off for the purpose of this lab.
Lab Tasks
- VM version: This lab has been tested on our pre-built SEEDUbuntu16.04 VM.
Recommended Time
- Supervised situation (e.g. a closely-guided lab session):
- Unsupervised situation (e.g. take-home project):
Video
Note
- Since May 5 2019, the Firefox Add-on "HTTP Header Live" has been disabled by Firefox, Mozilla verifies and signs add-ons that follow a set of security guidelines (link). The version of HTTP Header Live (v 0.6 - Last Updated April 9, 2018) installed on the VM does not comply with this security guideline, so it was automatically disabled. The issue can be easily resolved by installing the latest version of HTTP Header Live (v 0.6.5.1 - Last Updated May 25, 2019).
Suggested Reading
- SEED Book by Wenliang Du
(Book website)
(Chinese version)