CSRF Attack Demonstration

Interactive Educational Project for Understanding Cross-Site Request Forgery Vulnerabilities

Educational Purpose Only

This project is designed for educational and research purposes to understand web security vulnerabilities. It should only be used in controlled environments for learning and testing. Never use these techniques on systems you don't own or have explicit permission to test.

What is CSRF?

Cross-Site Request Forgery (CSRF) is a web security vulnerability that allows an attacker to trick a user into performing unwanted actions on a web application where they are authenticated. This attack exploits the trust that a website has in a user's browser.

Real-World Impact

CSRF attacks can lead to:

  • Unauthorized fund transfers in banking applications
  • Account settings changes without user consent
  • Email or password modifications
  • Unauthorized purchases in e-commerce sites

Project Features

Vulnerable Implementation

See how CSRF attacks work against an unprotected banking application

Secure Implementation

Learn industry-standard countermeasures with CSRF tokens and SameSite cookies

Attacker Simulation

Experience the attack from an attacker's perspective with a malicious website

Complete Source Code

Full PHP implementation with SQLite database and detailed comments

Technology Stack

PHP 7.4+ SQLite3 HTML5 CSS3 JavaScript Security Tokens

Download Project Files

Download the complete CSRF demonstration project. All files are included with detailed setup instructions.

Complete CSRF Demo

ZIP Package (~45 KB)

Includes vulnerable site, attacker site, secure site, and database initialization scripts

Download Demo Package

Complete Source Code

TXT File (~31 KB)

All source code in a single text file with clear section markers

Download Code File

Setup Guide

TXT File (~22 KB)

Comprehensive setup instructions with troubleshooting tips

Download Setup Guide

Quick Start Guide

  1. Download & Extract

    Download the complete CSRF demo package and extract it to your preferred location.

    unzip csrf_demo.zip
  2. Initialize Databases

    Run the initialization scripts to create the SQLite databases with test users.

    cd csrf_demo/vulnerable
    php init_db.php

    cd ../secure
    php init_db.php
  3. Start Three Servers

    You'll need three terminal windows running simultaneously.

    # Terminal 1: Vulnerable Bank (Port 8000)
    cd vulnerable && php -S localhost:8000

    # Terminal 2: Attacker Site (Port 9000)
    cd attacker && php -S localhost:9000

    # Terminal 3: Secure Bank (Port 8001)
    cd secure && php -S localhost:8001
  4. Test the Attack

    Open your browser and navigate to the attacker site, then follow the demonstration steps.

    1. Visit: http://localhost:9000/malicious.html
    2. Select "Port 8000 - Vulnerable Bank"
    3. Open new tab: http://localhost:8000
    4. Login as alice/alice123
    5. Return to attacker tab and click "Claim Your Prize!"
    6. Watch the balance drop from $5,000 to $4,000
  5. Test the Protection

    Repeat the attack against the secure bank to see how CSRF protection blocks the attack.

    1. Same attacker site, select "Port 8001 - Secure Bank"
    2. Open new tab: http://localhost:8001
    3. Login as alice/alice123
    4. Try the attack - it will be BLOCKED!
    5. Balance remains safe at $5,000

Vulnerable vs Secure Implementation

Feature Vulnerable Version Secure Version
CSRF Tokens ❌ None ✅ Implemented
SameSite Cookies ❌ Not Set ✅ Lax Mode
Referer Validation ❌ Not Checked ✅ Validated
Token Regeneration ❌ N/A ✅ Per Transaction
Attack Success Rate 100% 0%

Countermeasures Explained

CSRF Tokens

Unique, unpredictable tokens generated per session and included in every state-changing request. The server validates the token before processing.

SameSite Cookies

Browser-level protection that prevents cookies from being sent with cross-site requests. Set to 'Lax' or 'Strict' for maximum security.

Referer Validation

Server checks the HTTP Referer header to ensure requests originate from the same domain. Acts as an additional security layer.

Token Regeneration

Generate new tokens after each sensitive action to limit the window of opportunity for token theft and reuse.

Learning Outcomes

  • Understand how CSRF attacks exploit browser cookie behavior
  • Learn to identify vulnerable endpoints in web applications
  • Implement industry-standard CSRF protection mechanisms
  • Master synchronizer token patterns
  • Apply defense-in-depth security principles
  • Gain hands-on experience with secure coding practices

About This Project

This CSRF demonstration was developed as part of the MSc Cyber Security programme at the University of Surrey. It represents a comprehensive study of web security vulnerabilities and their countermeasures.

Project Details

  • Author: Siddesh Vilas Pawar
  • Course: COMM047 - Web Security
  • Institution: University of Surrey
  • Grade: 15-17/17 Marks

System Requirements

  • PHP: Version 7.4 or higher
  • PHP Extensions: SQLite3 and PDO_SQLite
  • Browser: Any modern browser (Chrome, Firefox, Edge, Safari)
  • Operating System: Windows, macOS, or Linux
  • Terminals: 3 command prompt/terminal windows

Need Help?

Refer to the comprehensive setup guide included in the download package. It includes detailed troubleshooting steps for common issues.

Back to Projects Contact Me