bWAPP, or a buggy web application, is a deliberately insecure web application.
bWAPP helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. It prepares to conduct successful penetration testing and ethical hacking projects. It is for educational purposes only.
What makes bWAPP so unique? Well, it has over 60 web bugs!
bWAPP covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project!
The OWASP Top 10 provides an accurate snapshot of the current threat landscape in application security and reflects the collaborative efforts and insights of thousands of accomplished security engineers. To reflect the ongoing changes in technology and common online business practices, the list is periodically updated.
You can download bWAPP from here. Have fun!
It's also possible to download our bee-box, a custom Linux VM pre-installed with bWAPP.
Cross-Site Request Forgery (CSRF)
Part 1-3 Low
CSRF (Password)
CSRF (Transfer Amount)
CSRF (Secret)
CSRF (Password)
Here we can change your password.Lets give it a try.
Here we can see the url
http://192.168.178.22/bWAPP/csrf_1.php?password_new=lol&password_conf=lol&action=change
password_new=lol
password_conf=lol
action=change
With some social engineering skill you can trick the user to click your link with the new user password.
After the user click on the link the password changed.
Sample :
Cr4shy must trick Alice into submitting the request. The most basic method is to send Alice an HTML email containing the following:
<a href="http://192.168.178.22/bWAPP/csrf_1.php?password_new=lol&password_conf=lol&action=change">Warning Please Read : Dont change your Password!</a>
Alice click on the link and the password changed to lol 
CSRF (Transfer Amount)
We got some money to play with it
Amount on your account: 1000 EUR
Account to transfer: 123-45678-90
Maybe Vuln ?
Now we transfers 100 Eur to Alice its work 900 Eur left.But i want more Money hmmm.
Hmm 900 Eur left suckz ...
Maybe Math can help us 
http://192.168.178.22/bWAPP/csrf_2.php?account=123-45678-90&amount=0&action=transfer
account=123-45678-90
amount=0
action=transfer
Whats happen if i add amount=+1.000.000
Ohhh Nooooo
Amount on your account: -999000 EUR Now only self kill works 
No if a + remove money on the acc a - will add money on the acc i hope
Now we can stop working and go live in Freedom and Peace
Amount on your account: 1001000 EUR
I dont need more 
Vuln : 2
With some social engineering skill you can trick the user to click your link with the Amount of money to transfers.
After the user click on the link the say good bye too your money.
Sample :
Cr4shy must trick Alice into submitting the request. The most basic method is to send Alice an HTML email containing the following:
<a href="http://192.168.178.22/bWAPP/csrf_2.php?account=123-45678-90&amount=1000000&action=transfer">Warning Please Read : You got Hacked please change your Password fast!</a>
Alice click on the link and bye bye to Alice Money
CSRF (Secret)
Maybe Later 
i cnt find the screenshot ?? can you pls update with the screenshot ????
ReplyDeleterequest you to do asap ..pls
ReplyDeleteThe screen shots are all dead :/
ReplyDeleteA nice guide but a bit basic... Maybe enhance it by adding permission escalation CSRF :)
I've been using Kaspersky security for many years now, and I'd recommend this product to all of you.
ReplyDeleteVery nice, i like the way you explained. I also wrote something on similar lines on what we need to know about csrf.
ReplyDeleteCross site request forgery csrf
You can earn $20 for filling a 20 minute survey!
ReplyDeleteGuess what? This is exactly what large companies are paying for. They need to know what their average customer needs and wants. So large companies pay millions of dollars per month to the average person. In return, the average person, like me, fills out surveys and gives them their opinion.