Cross Site Request Forgery is very dangerous, and also quite
common. OWASP describes Cross Site Request Forgery as:
Cross-Site Request
Forgery (CSRF) is an attack that tricks the victim into loading a page that
contains a malicious request. It is malicious in the sense that it inherits the
identity and privileges of the victim to perform an undesired function on the
victim's behalf, like change the victim's e-mail address, home address, or
password, or purchase something. CSRF attacks generally target functions that
cause a state change on the server but can also be used to access sensitive
data.
1.
Go to the CSRF page in DVWA and Change your
admin password by entering a password in the New password and Confirm new
password fields and clicking the Change button.
Notice that the page is loading, but not complete. That is because we
need to tell Burp Suite to forward the packet and let it finish it's process.
2. Go to Burp Suite, click the Proxy tab, and view
the password change http request and
forward it after and you will see that your Password Changed on the DVWA
site.
Now the part we are interested in is the begenning of the http request
which looks
something like:
http://localhost/dvwa/vulnerabilities/csrf/?
password_new=admin&password_conf=password&Change=Change#
Now all we have to do is construct a link that will perform the same
function and hide it
in some html so our victim doesn't know it is happening.
just
until here, if there which will continue please..
Tidak ada komentar:
Posting Komentar