Cross-Site Request Forgery (CSRF)

A Useful Tool

A useful tool for Website hacking is HackBar

It only works for Firefox.


Example of A Bad Implementation.

Why is it Bad?

<form action="Shop.aspx?prod=1" method="POST">Product: iPhone 5
Price: 449
Quantity: <input name="quantity" type="text" /> (Maximum quantity is 50)
<input name="price" type="hidden" value="449" />
<input type="submit" value="Buy" />


Notice that the form field price is flagged as hidden, this field is sent to the server when the user submits the form.

Although the price is hidden from the screen, and the user cannot edit it, it can still be bypassed and a hacker can change the price to absolutely anything they desire. All they need to do is save the source code for the HTML Page, edit the field's value, reload the source into the browser, and click the Buy button, and it will change.


If you have any questions please comment below.

Leave a Reply