Start by cloning the repostory or copying the two example files app.py and evil.py to your computer. The only dependency these examples need to run is microdot, so create a virtual environment and run:

pip install microdot

You need two terminals. On the first one, run:

python app.py

To see the application open http://localhost:5000 on your web browser. The application allows you to make payments through a web form. Each payment that you make reduces the balance in your account. Type an amount in the form field and press the "Issue Payment" button to see how the balance decreases.

Leave the application running. On the second terminal run:

python evil.py

Open a second browser tab and navigate to http://localhost:5001. This application simulates a malicious web site that tries to steal money from your account. It does this by sending a cross-site form submission to the above application.

The application presents a form that fools you into thinking you can win some money. Clicking the button triggers the cross-site request to the form in the first application, with the payment amount set to $100.

Because the application has CSRF protection enabled, the cross-site request fails.

If you want to see how the attack can succeed, open app.py in your editor and comment out the line that creates the csrf object. Restart app.py in your first terminal, then go back to the second browser tab and click the "Win $100!" button again. You will now see that the form is submitted successfully and your balance in the first application is decremented by $100.