performing-csrf-attack-simulation

# Performing CSRF Attack Simulation ## When to Use - During authorized web application penetration tests to identify state-changing actions vulnerable to CSRF - When testing the effectiveness of anti-CSRF token implementations - For validating SameSite cookie attribute enforcement across different browsers - When assessing applications that perform sensitive operations (password change, fund transfer, settings modification) - During security audits of custom authentication and session management mechanisms ## Prerequisites - **Authorization**: Written penetration testing agreement for the target - **Burp Suite Professional**: With CSRF PoC generator functionality - **Web server**: Local HTTP server for hosting CSRF PoC pages (Python `http.server`) - **Two browsers**: One authenticated as victim, one as attacker - **Target application**: Authenticated session with valid test credentials - **HTML/JavaScript knowledge**: For crafting custom CSRF payloads > **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws. ## Workflow ### Step 1: Identify State-Changing Requests Browse the application and identify all POST/PUT/DELETE requests that modify server-side state. ``` # In Burp Suite, review Proxy > HTTP History # Filter for POST/PUT/DELETE methods # Focus on actions like: # - Password/email change # - Fu...