Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Cross site request Forgery
- Missing Function Level Access Control
- ----------------------------------------
- Cross site request Forgery.
- In this attack the hacker creates a forged http request and tricks victim into submitting that request via images tabs or xss
- The application allows a user to submit a state changing request that does not include anything secret.
- For example:
- http://anywebsite.com/app/transferFunds?amount=1500&destinationAccount=4673243243
- this all done by making the victim click on a link or on a certain appealing image
- ________
- DEMO DVWA
- Steps
- Step 1 Open XAMPP start mysql and apache server
- step 2 go to your browser in the 'url field' type 127.0.0.1/dvwa
- step 3 login in to dvwa with username="admin" and password="password"
- step 4 goto to dvwa security change the security level to "low"
- step 5 goto click on "CSRF" tab on the left side
- step 6 inspect element
- step 7 select the form with the cursor
- step 8 right click on "<form action= '#' " click on "Edit as HTML"
- step 9 copy the code and open up a notepad file.
- step 10 replace the '#' in action= to "127.0.0.1/dvwa/vulnerabilities/csrf"
- step 11 save the file as html
- step 12 open the saved file in the new tab note-> your old tab should also be open and change the password in the newly created file.(change your password to admin)
- step 13 after practice reverse the password to password.
- #For LVS
- step 1 open 127.0.0.1/lvs111
- step 2 click on csrf >Gmail logout options
- step 3 open a gmail in a new tab
- step 4 open the lvs tab and click on submit querry
- and your gmail account would be logged out.
- LVS-2 comment box
- step 1 open 127.0.0.1/lvs111
- step 2 click on csrf > csrf in comment box
- step 3 type a comment if you want to
- step 4 click on the iphone photo
- step 5 Click on back button
- and a comment would be posted that was not earlier there.
- ________________________________________________
- Missing Function Level Access Control
- ---------------------------------------------
- It is an attack in which a hacker or an anonymous person is able to access an application interface that it would otherwise never been able to access.
- eg if a hacker open up
- www.anywebsite.com/user
- and logs in with credentials after that get redirected to
- www.anywebsite.com/admin
- Now if a hacker is able to type www.anywebsite.com/admin and is able to enter without using credentials that is case of Missing Function Level Access Control.
- ---
- steps
- Step1 goto 127.0.0.1/lvs111
- step 2 Click on Missing Function Level Access control "unauthenticate user access to admin"
- step 3 login with credentials admin and password
- step 4 copy url
- step 5 click on logout and paste the url
- try to do the same with "Authenticated user access to admin"
Add Comment
Please, Sign In to add comment