Welcome to the Linux Foundation Forum!

Lab 3.3: How the CSRF flask example is supposed to work?


The example of CSRF app in LAB 3.3 does not work.
It is not explained how the malicious html can obtain the Session Id Cookie.
After pasting manually the session Id in the request with Burp it does work, but, I guess, is not how it is supposed to work.
Further information on the pdf will be beneficial as also a working example.

Best Answer

  • pliski
    pliski Posts: 7
    Answer ✓

    Ok, it is working now, I must have inverted some steps.

    This is what I've done today (pretty much the same as the lab) :

    • run the docker demo,
    • open localhost:5000 on the Burp browser,
    • login with admin / admin,
    • run the python evil server,
    • in the same Burp browser open another tab for localhost:1337,
    • click on submit,
    • return to the app tab and refresh,
    • the label should have been modified to "Hackzord!".



Upcoming Training