WebGoat CSRF 7 8

InfoSec Write-ups – Medium–

WebGoat CSRF 7

WebGoat CSRF lesson 7

This lesson is very similar to the two previous ones, but this time the payload to be sent must be in JSON format, let’s see how this can be achieved

Request with given values

By filling the lesson form with the given values, the HTTP request gets populated with the inputted values in JSON format and the feedback tells us that the solution is not correct, as expected

Let’s go ahead and just copy the form on the page to a new html file, here you can find the form cleaned of all unnecessary divs with an added hidden field for testing


Modified WebGoat CSRF 7 web form on firefox — this one does not work

Let’s fill the form and see what happens

Error on form submission

The request did not work, WebGoat replies with status code 500, let’s see what Burp History shows

Request and error response on Burp

The request here is not what WebGoat expects at all, it is a plain POST form submit and it is never going to work here

WebGoat lesson page suggestion to go read http://pentestmonkey.net/blog/csrf-xml-post-request is of utmost importance, here PentestMonkey explains clearly how to forge an HTTP request of the needed format starting from an HTML file and a simple form, that is, basically, what I was trying to achieve here

In case of more help there is https://github.com/WebGoat/WebGoat/wiki/Main-Exploits this page from WebGoat GitHub as well with the correct payload and some more explanation

After reading and studying, a new HTML file is in order to forge the correct request


First: the form enctype=”text/plain” forces the browser to create a request without encoding the data content from the client

Second: in order to create a valid JSON payload, the request has to have the content available on the lesson page, and that text has the following characters in order to forge a JSON payload

" : { }

Luckily for us HTML tag attributes delimiters can be ‘ or “ as long as the same type of quotes are used as opening and closing characters, so the two form attributes

name='{"name": "WebGoat", "email": "webgoat@webgoat.org", "content": "WebGoat is the best!!", "ignoreme":"'


are valid HTML attributes allowing us to put a JSON formatted data body in the request

WebGoat CSRF 7 web form on firefox — this one does work

Let’s submit the form leveraging on both these aspects


WebGoat replies with this JSON message containing the flag

Request on Burp

And on Burp we can see the forged request in the correct JSON format with the added “ignoreme” attribute

Input the flag in the lesson page to complete it

WebGoat CSRF 8

WebGoat CSRF lesson 8

Let’s create a form starting from WebGoat login page structure


The first one is a simpler version with just the essential components, the second one has some modification to make it auto submit and show a blank page

Form file uploaded on WebWolf

Upload it on WebWolf and open it on a new tab

The page is blank as everything in the HTML file has been hidden

Then switch to the lesson page and click on the “Solved!” button to complete the lesson

WebGoat user menu with changed user

You are now logged in as the csrf-<your_username> user, reload any WebGoat page and check your user on the top right menu to check that a new login has happened

This concludes WebGoat CSRF 7 8

I hope you liked it.

PVXs — https://twitter.com/pivixih

WebGoat CSRF 7 8 was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

View original article on InfoSec Write-ups – Medium

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s