The goal of this lab environment is to familiarize with Cross-Site Request Forgery (CSRF) attacks. In a CSRF attack, a victim user, a trusted website, and a malicious site are involved.
The victim, who has an active session with a trusted site, visits a malicious site that then sends an unauthorized HTTP request to the trusted site within the victim's session, leading to potential harm.
We will perform a CSRF attack on a social networking application called Elgg, which is an open-source platform pre-installed on our virtual machine. Elgg typically includes built-in protections against CSRF, but these defenses have been disabled for this exercise.
This session will cover the following key topics:
- Cross-Site Request Forgery (CSRF) attack
- CSRF countermeasures: Secret Token and Same-site Cookie
- HTTP GET and POST requests
- JavaScript and Ajax
- Python
- Ubuntu 20.04 VM
- Docker
- Windows 11 Home (21H2)
Learn how to inspect HTTP request headers and understand session behavior.
Craft and execute a CSRF attack leveraging the GET method.
Use POST-based CSRF attacks to manipulate form submissions.
Re-enable and explore Elgg’s built-in CSRF protections.
Through this lab, we successfully simulated and analyzed the impact of CSRF attacks in a controlled environment. By exploiting the trust a website has in a user's browser, we demonstrated how attackers can compromise user data and actions without their knowledge.
Additionally, we explored and implemented effective countermeasures, such as secret tokens and same-site cookies, to safeguard web applications from such threats. This hands-on experience emphasized the importance of secure web development practices and the role of client-side and server-side defenses in mitigating CSRF risks.