Department of Electrical Engineering and Computer Science
Syracuse University

Cross-Site Request Forgery (CSRF) Attack Lab

Overview

Cross-site request forgery, abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.

To demonstrate what attackers can do by exploiting CSRF vulnerabilities, we have set up a web-based message board using phpBB. We modified the software to introduce an CSRF vulnerability in this message board (It should be noted that phpBB has implemented countermeasures against the CSRF attacks, we disabled those countermeasures for this lab). Students need to exploit this vulnerability by posting some malicious messages to the message board; users who view these malicious messages will become victims. The attackers' goal is to post forged messages for the victims.

Lab Description and Tasks (PDF)

    For instructors: if you prefer to modify the lab description to suit your own courses, you can download the source files (Latex) from here.

Recommended Time: 1 week

Lecture Video: (watch)

Helpful Links

Student Feedbacks

To help us understand how effectively this lab has enhanced students' learning in computer security, we asked students to fill out an anonymous survey right after they finish the lab. We started to conduct the survey since 2009. The survey results depicted in the following are aggregate results over several years.
  • Survey Questionnaires (doc, pdf)
  • Survey Results (not available)