Cross Site Request Forgery

Step 1: Here you need two browsers to perform this attack.

Browser1- Firefox.

Browser2- Firefox Incognito Mode

Step 2: Login to Internshala Trainings and open the Hacking Lab from both the browsers. Go to the hacking challenge (The URL will be different for each user). http://13.232.74.70/Cross-Site-Request-Forgery/Variant-3/

Step 3: Now login to the hacker account in Browser1. Similarly login to the victim account in Browser2. Step 4: Now create an html file (using notpad, sublime text, etc) with the following code (change the IP according to your practice lab):

<html>
<body>
<img src=”http://13.127.238.114/Cross-Site-Request-Forgery/Variant-3/cancel.php?all”>
</body>
</html>

Step 5: Save this file as csrf_poc.html. Now you can send the link to this HTML file to any user, and the moment they open it all their orders will get cancelled.

Step 6: To test, open this HTML in the victim’s browser and his orders will get cancelled in the background.

Step 7: To crosscheck, simply refresh the orders page in the victim’s browser, and all orders will be gone.

Note: Try to learn about the Remediations of CSRF and CSRF tokens.