Information Security

Hacking OWASP’s Juice Shop Pt. 35: CSRF

Posted on by codeblue04

Challenge: 

Name: CSRF

Description: Change the name of a user by performing Cross-Site Request Forgery from another origin.

Difficulty: 3 star

Category: Broken Access Control

Expanded Description: https://pwning.owasp-juice.shop/part2/broken-access-control.html

Tools used:

Older Firefox browser

Resources used:

Solutions Guide

CSRF Payloads

Methodology: 

To start out with, let me just say that I wish the expanded description would have directed me to an older version of Firefox like the Solutions Guide did. That would have saved me quite a bit of time.

In the HTML editor (within an older browser), copy/paste the HTML code from the user profile page to the editor, then add in a CSRF payload near the top of the HTML code and enjoy your completed challenge.

You successfully solved a challenge: CSRF (Change the name of a user by performing Cross-site Request Forgery from another origin.) X

Prevention and Mitigation Strategies:

OWASP CSRF Cheat Sheet

Lessons Learned and Things Worth Mentioning: 

I need to spend more time learning about CSRF exploits. Normally I’d have something to say here, but I’m still a little confused as to what exactly happened.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s