CSRF attacks
Cross-Site Request Forgery (CSRF) attacks deceive the victim's browser into sending a manipulated request to the vulnerable application while the victim is logged in. So, an application should make sure the request is legitimate.
As a CSRF attack is an attack on a logged-in user, we have to send the session cookie with the request. We can use cookielib to remember cookies between sessions:
import mechanize cookies = mechanize.CookieJar() cookie_opener = mechanize.build_opener(mechanize.HTTPCookieProcessor(cookies)) mechanize.install_opener(cookie_opener) url = "http://www.webscantest.com/crosstraining/aboutyou.php" res = mechanize.urlopen(url) content = res.read()
To test for CSRF, we have to submit the form from a page other than the actual page. We could also check the form for a CSRF token. If such a token exists in the form, manipulate the values and make sure the form fails...
 
                                             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
     
         
                 
                 
                 
                 
                 
                 
                 
                 
                