Performing a cross-site request forgery attack
A cross-site request forgery (CSRF) attack is one which forces authenticated users to perform unwanted actions on the web application they were authenticated to use. This is done using an external site the user has visited and which triggers the action.
In this recipe, we will obtain the information from the application to see what the attacking site needs do to be able to send valid requests to the vulnerable server. Then, we will create a page to simulate the legitimate requests and trick the user into visiting the page while authenticated. The malicious page will then send requests to the vulnerable server and, if the application is open in the same browser, it will perform the actions as if the user had sent them.
Getting ready
To perform this CSRF attack, we will use the WackoPicko application in vulnerable_vm: http://192.168.56.102/WackoPicko. We need two users, one will be called v_user, the victim, and the other one will be called attacker...
