Vulnerability: Cross Site Request Forgery (CSRF)

Note: Browsers are starting to default to setting the SameSite cookie flag to Lax, and in doing so are killing off some types of CSRF attacks. When they have completed their mission, this lab will not work as originally expected.

Announcements:

• Chromium
• Edge
• Firefox

As an alternative to the normal attack of hosting the malicious URLs or code on a separate host, you could try using other vulnerabilities in this app to store them, the Stored XSS lab would be a good place to start.

More Information

• https://owasp.org/www-community/attacks/csrf
• https://www.cgisecurity.com/csrf-faq.html
• https://en.wikipedia.org/wiki/Cross-site_request_forgery