CSRF ATTACK LAB — NOVATRUST BANKING
PENTESTING — OWASP A01 CSRF VULNERABILITY ASSESSMENT
ANALYSE · CRAFT POC · DOCUMENT · REPORT · FLAG
Loading target: NovaTrust Online Banking — app.novatrust-bank.com...

OBJECTIVES

Browse the target banking application
Find the vulnerable transfer endpoint
Inspect the HTTP request — spot missing token
View page source — confirm no CSRF token
Craft a working CSRF proof-of-concept
Review the defences and understand each fix
Capture the flag
Submit the pentest report
🌐
Browser
⚗️
PoC Editor
🛡️
Defences
📖
Reference
📋
Report
CSRF LAB
Browser
PoC Editor
Defences
Reference
Report
--:--:--
PHASE 1 — RECONNAISSANCE
MISSION BRIEF
PENTESTING — CSRF ASSESSMENT

CSRF LAB — NOVATRUST BANKING

TARGET: app.novatrust-bank.com (simulated)

SCENARIO

You are a penetration tester conducting a white-box web application assessment against NovaTrust Online Banking. The client has provided test credentials and wants you to evaluate their fund transfer feature for CSRF vulnerabilities. You are logged in as test user [email protected].

SCOPE & RULES

ItemDetail
Targetapp.novatrust-bank.com
Test user[email protected]
AccountNT-441829
Balance$12,450.00
ScopeFund transfer feature ONLY
Out of scopeLogin, account creation, admin panel

WHAT IS CSRF?

Cross-Site Request Forgery tricks a logged-in user's browser into sending a forged request to a site they are authenticated with. Because the browser automatically sends session cookies, the server cannot distinguish the forged request from a legitimate one — unless the application uses anti-CSRF controls.

YOUR TASKS

  • Browse the target app and find the transfer form
  • Inspect the HTTP request — look for missing CSRF protections
  • View page source — confirm no token in the form
  • Craft a PoC HTML page in the PoC Editor
  • Review the Defences panel — understand each fix
  • Capture the flag and complete the Report
BROWSER — NovaTrust Online Banking
🔒 app.novatrust-bank.com/dashboard
NovaTrust Dashboard
Transfer Funds
View Source
Intercepted Request
CSRF POC EDITOR — craft your proof-of-concept
Write an HTML page a victim would visit. It should silently submit the transfer form.
CSRF DEFENCES — how to fix it
REFERENCE — CSRF
HOW CSRF WORKS
1. Victim logs into bank.com — browser stores session cookie
2. Victim visits attacker's malicious page (evil.com)
3. Malicious page contains an auto-submitting form targeting bank.com/transfer
4. Browser sends the request WITH the bank.com cookie automatically
5. Bank server sees a valid authenticated request and processes it

The attack works because the browser attaches cookies to matching-domain requests regardless of which page initiated the request.
MINIMUM PoC STRUCTURE
<html> <body onload="document.forms[0].submit()"> <form action="https://TARGET/transfer" method="POST"> <input name="to_account" value="ATTACKER_ACCT"> <input name="amount" value="AMOUNT"> <input name="currency" value="USD"> </form> </body> </html>
WHY IT WORKS (NO TOKEN)
Without a CSRF token, the server cannot tell whether a POST request came from its own form or from a forged page. The session cookie is proof of identity but not proof of intent — it proves WHO is making the request, not WHERE the request was initiated from.
WHAT TO INCLUDE IN A PENTEST PoC
A good CSRF PoC for a report must:
• Auto-submit on page load (demonstrates no interaction needed)
• Target the exact vulnerable endpoint
• Include all required form parameters
• Be self-contained in a single HTML file
• NOT require the victim to click anything
CVSS SCORING FOR CSRF
Typical CSRF on a financial application:
AV:N / AC:L / PR:N / UI:R / S:U / C:H / I:H / A:N
= CVSS 8.1 (High)

UI:R because the victim must visit the attacker's page.
PR:N because the attacker needs no privileges on the target.
PENTEST REPORT — NovaTrust CSRF Finding
CSRF VULNERABILITY — FINDING DOCUMENTATION
🚩 FLAG:
Score: 0 / 8