Overview

The objective of this lab is to help students understand the Cross-Site Request Forgery (CSRF or XSRF) attack. A CSRF attack involves a victim user, a trusted site, and a malicious site. The victim user holds an active session with a trusted site while visiting a malicious site. The malicious site injects an HTTP request for the trusted site into the victim user session, causing damages.

In this lab, students will be attacking a social networking web application using the CSRF attack. The open-source social networking application called Elgg has countermeasures against CSRF, but we have turned them off for the purpose of this lab.

Lab Tasks (Description) (Video)

  • For instructors: if you prefer to customize the lab description to suit your own courses, here are our Latex source files.
  • VM version: This lab has been tested on our pre-built SEEDUbuntu12.04 VM.

Recommended Time:

  • Supervised situation (e.g. a closely-guided lab session): 2 hours
  • Unsupervised situation (e.g. take-home project): 1 week

Suggested Reading

SEED Project