How to do it...

We first need to analyze the request we want to force the victim to make. To do this, we need Burp Suite, or another proxy configured in the browser:

  1. Log in to BodgeIt as any user and click on the username to go to the profile.
  2. Make a password change. Let's see what the request looks like in the proxy:

So, it is a POST request to and has only the password and its confirmation in the body.

  1. Let's try to make a very simple HTML page that replicates this request. Create a file (we'll name it csrf-change-password.html) with the following contents:
<html><body><form action="" ...

Get Kali Linux Web Penetration Testing Cookbook - Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.