Example Cross Site Request Forgery (CSRF) vulnerabilities in action.
Download the code for this project by using git clone:
git clone https://github.com/Learn-by-doing/csrf-examples.gitLike any node project, you will need to download and install the required node modules for the project to run. Change into the "csrf-examples" directory:
cd csrf-examplesAnd then:
npm installThis command installs the node modules needed to run the project in a new directory named node_modules.
Once the modules have finished installing, you can run the project like this:
npm startYou should see the following if everything is OK:
Server started and listening at localhost:3000
Open your browser to and navigate to localhost:3000.
Login using the test account:
- Username:
bob - Password:
test
In a new tab, navigate to localhost:3001 to view some examples of CSRF exploits. You will notice that the balance goes down everytime you load that page. This is because the page is successfully exploiting a CSRF vulnerability.
To see the fixed version of this demo, switch to the "fixed" branch:
git checkout fixedThere are new dependencies, so you will have to re-run npm install to download them.
Now you can restart the server by pressing CTRL + C to kill the server process and then run npm start to start it up again.
Navigate again to localhost:3000 and login to the test account.
And once more try the page with the CSRF exploits: localhost:3001.
You will notice now that the account balance is unchanged.
Here are some useful links where you can learn more about this topic: