Vulnerability A8 Cross-Site Request Forgery (CSRF) Description:

screen

Write-up

For almost all levels I will be using Burpsuite. Burpsuite is an interception proxy that lets us modify the HTTP request / response by intercepting the data between the browser and the web server.

On this one we need to craft an HTML tag will cause users to perform an HTTP request upon loading the page. The available tags we can use are b, em, p, i, u, s, img, a, abbr, cite and code. Let’s see which ones we can actually use to complete this task.

First I tried using an HTML5 OnEvent attribute to trigger an action like
<b onload=”javascript:alert(‘XSS’);”>TEST</b> but the page returned an error.

screen1

If there is no event handler, we can not use any On-Events and most of the available tags are useless. The solution for me was to insert an img tag with source the desired HTTP request.

<img src="http://site.com/bank.php?transferTo=555">

This is going to cause the browser to make an HTTP request to the URL in the src attribute as is. I will not consider this as the most elegant solution since it leaves an error of the non-existent image load attempt.

screen3