Cross-Site Request Forgery (CSRF) Attack Lab
OverviewCross-site request forgery, abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.
To demonstrate what attackers can do by exploiting CSRF vulnerabilities, we have set up a web-based message board using phpBB. We modified the software to introduce an CSRF vulnerability in this message board (It should be noted that phpBB has implemented countermeasures against the CSRF attacks, we disabled those countermeasures for this lab). Students need to exploit this vulnerability by posting some malicious messages to the message board; users who view these malicious messages will become victims. The attackers' goal is to post forged messages for the victims.
Lab Description and Tasks (PDF)
Recommended Time: 1 week
Lecture Video: (watch)
Student FeedbacksTo help us understand how effectively this lab has enhanced students' learning in computer security, we asked students to fill out an anonymous survey right after they finish the lab. We started to conduct the survey since 2009. The survey results depicted in the following are aggregate results over several years.