Laboratory 4 Itt557 Weekly Lab Assignment
Laboratory 4 Itt557 Weekly Lab Assignment
LABORATORY 4
ITT 557
SESSION HIJACKING PART 2
LAB OBJECTIVES
At the end of this laboratory session, students should be able to:
i. Understand Cross Site Request Forgery (CSRF) attack.
ii. Provide solution to stop Cross Site Request Forgery (CSRF) attack.
REQUIREMENTS
For this laboratory session, students are required to have the following:
i. A running web server installation (WAMP or XAMPP)
ii. Code Editor (Notepad++, Sublime Text or Visual Studio)
iii. 2 Different types of browsers (Chrome, Firefox or Edge, either 2)
INSTRUCTIONS
http://127.0.0.1/csrf/login.html
7. This is a dummy banking system to demonstrate how a CSRF attack can occur. In a
CSRF attack, an attacker relies on the victim established session with a website, then
craft a URL for victim to click or access. When a victim accesses the URL, it will
perform action on behalf of the victim on the website. In this example, the URL will
perform a money transfer from the victim account to the attacker account.
8. Login into the system. The username and password can be found inside login.php.
9. Once log in, you will get page like this:
10. We will start with balance of USD500,000 in the victim account. Notice that on the
page there is a form for the victim to make a transfer to another account. Open the
file transfer.php and notice that inside the file, it will check if user has already
logged in, and will perform the transfer. There seems to be nothing wrong with the
implementation since user have to be log in, to perform the transfer.
1. Since the banking system only check if the user is logged in, an attacker can create a
URL with malicious request for the victim to open. In this example, a user send a URL
with a broken image link to the victim.
2. Open a new tab and access the following URL:
http://127.0.0.1/csrf/image.html
6. Go back to the previous tab of the main page of the banking system. Reload the page
and notice what happened to balanced. You should get the following result:
7. Is this example, the victim did not realize that by accessing the broken image, it is
performing a transfer to another account. Bear in mind that attacker could have sent
link to the victim via messaging application such as WhatsApp, telegram, or email.
1. We are going to see that they are numerous ways in which attacker can perform the
CSRF attack. For the attack using image to work, the request needs to be done over
GET method. What if the request needs to be done over POST?
2. Open the file transfer.php
3. Edit line 7 and 8 so that it becomes a POST request, like so:
4. Now try and access the URL with the broken image again, and then check if the money
is deducted from the balanced. Does it work?
Money is not deducted from the balance but the transfers is recorded.
5. One way to submit a post request is by using a form. Open form.html and look at the
code. In it is just normal HTML with form request, the only difference is that there a
script that will auto submit the form upon loading.
6. Access the URL:
http://127.0.0.1/csrf/form.html
7. Does the balanced get deducted this time? This is an example of a CSRF attack using
the POST method.
1. In attack 2, we have seen how attacker can submit a form to create a POST CSRF
request. The problem with this method is that the victim will notice that there is a
request has been done on the banking site (since the page redirect).
2. A more silent way of making the request is by making the request in the background
using the XMLHttpRequest. XMLHttpRequest is a function that allows website to make
request in the background even after the page has finish loading. 3. Let see how this
works. Access the following URL:
http://127.0.0.1/csrf/xhr.html
4. Notice that the page does not load anything and does not redirect but make request in
the background.
5. Check the balanced in the victim account. Does the money get deducted?
Yes
6. This is another example of CSRF and is more dangerous because it shows that attacker
can create the request even when victim is surfing a legitimate website.
LAB ASSIGNMENT
Based on the 3 examples above, you should have understood how CSRF attack is being
carried out. Propose a solution on how the banking system above can be fixed to prevent
CSRF attack. Hint: use token.
Edit the files where the fix should be done and upload it in the Google Classroom. (You
probably need to edit 2 files). All The Best!