CSRF - Practical example using Burp Suite and portswigger.net

From Embedded Lab Vienna for IoT & Security
Revision as of 12:59, 19 December 2023 by MPalfinger (talk | contribs)
Jump to navigation Jump to search

Summary

This article describes how the Labs of portswigger.net can be used to show how a CSRF attack is done. In contrary to other articles these labs don't need further installation of software except of the Burp Suite Tool. By using the labs on portswigger.net also different difficulties can be tried and therefore the usage of different defence methods against CSRF can be experienced practically. By showing how two of the labs can be solved this article also describes how the reconnaissance of a web application in order to find CSRF Vulnerabilities can be done.

Requirements

  • Software: Burp Suite Community Edition/ Professional

In order to run Burp Suite you need to fullfill the following requirements:

  • CPU Cores/Memory:
    • Minimum: 2x cores, 4GB RAM - This spec is suitable for basic tasks such as proxying web traffic and simple Intruder attacks. While Burp Suite may run on a machine with a lower specification than this, we do not recommend doing so for performance reasons.
    • Recommended: 2x cores, 16GB RAM - This is a good general-purpose spec.
    • Advanced: 4x cores, 32GB RAM - This spec is suitable for more intensive tasks, such as complex Intruder attacks or large automated scans.
  • Free Disk Space:
    • Basic installation: 1GB
    • Per project file: 2GB
  • Operating system:
    • Windows (Intel 64-bit)
    • Linux (Intel and ARM 64-bit)
    • OS X (Intel 64-bit and Apple M1)


In order to install Burp Suite, you find a guide on their webpage Installation of Burp Suite. The following link Getting Started provides in general useful information about Burp Suite, How to use it and Tutorials.

Step-by-step

Login

The labs can be accessed after the user is logged in. Therefore a account must be made which can be done here. After the user created an account and is logged in the labs ob portswigger.net are accessible. Account Creation.png

Find the lab

As the lab portion of portswigger.net is very high it is quite a task to find the right labs. As this article is about CSRF we are looking for th labs related to this topic. To avoid a long time searching them you can find them here. This page provides a listing of all available labs but is already focused on the CSRF part.

List of labs.png

How the labs work

As visible in the picture the labs are basically structured in the same way. Ont top you find the name of the lab and just below is the description. There are three drop-down menus:

  • Hint: The hint provides some additional information how the lab can be solved
  • Solution: portswigger.net provides a text based solution of the lab.
  • Community Solutions: Here are additional solutions crafted by the community listed.


Courses

References

Retrieved from "https://wiki.elvis.science/index.php?title=CSRF_-_Practical_example_using_Burp_Suite_and_portswigger.net&oldid=13073"