Web Security Web Security

Challenge 4: CSRF

Learning Paths:
Check out a free preview of the full Web Security course:
The "Challenge 4: CSRF" Lesson is part of the full, Web Security course featured in this preview video. Here's what you'd learn in this lesson:

In this challenge, students create a bank transfer request through the course demo application through code initiated on a third party site.

Get Unlimited Access Now

Transcript from the "Challenge 4: CSRF" Lesson

[00:00:00]
>> Mike North: Let's take ten minutes, use that horrifying vulnerability, the get request, and use a post request. See if you can look at that way that transfer funds form is setup. And I'm telling you to use jsbin.com because you can create plain HTTP landing pages there. A lot of these experiment sites like CodePen and JSFiddle, they're on HTTPS now, and you'll get a mixed content warning if you try to do stuff over regular HTTP.

[00:00:27] So we'll just use jsbin for now. But see if you can make a page, looking at the form of that URL, where every time you load the page, one of your bank accounts ends up dropping in value by a dollar each time you look at it. And this could be the kind of thing where you can just send it out.

[00:00:43] You can send like 1000 little image tags, or a bunch of them, that would just try to transfer money from a bunch of accounts. Some of the images wouldn't load, images, they wouldn't load. Some might work for some users and that's really all you need. It's a numbers game, right?

[00:00:59] You're just trying to hit a lot of people, and some you won't get, and some you will