Step 02 – attacker

On the other hand, the attacker has already accessed the same blog site and he has a different account that he uses to blog about anonymous activities on a daily basis. The attacker saw that this site is already vulnerable to Cross-Site Request Forgery using his favorite scanner, Burp. Next, he will build a malicious page to infect his victims. To build his page, he enabled the proxy/intercept in Burp to analyze the contents of the web requests. On the Intercept page, he will right-click on the request and try to generate a CSRF POC:

After that, a new pop-up window will show. At this moment, the attacker can take the generated HTML code and use it by copying the contents (using the Copy HTML button) generated by Burp:

Then, Elliot, the attacker, takes this HTML code and saves it on his Kali machines' web server (he copied the HTML file to the /var/www/html/ directory and later started his Apache server using the command service apache2 start):

Now, Elliot's server is ready for his victim to visit. He used social engineering tactics to convince his victim to go to that page and click this magic button:

For this attack to work, the victim needs to be already signed in using Mutillidae. Remember, we will use his session, so we need it to be active by having the victim logged in to the system.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.221.98.71