42 lines
1.7 KiB
Markdown
42 lines
1.7 KiB
Markdown
# CSRF Example
|
|
|
|
This is a small example that demonstrates how the CSRF protection in Microdot
|
|
works.
|
|
|
|
## Running the example
|
|
|
|
Start by cloning the repostory or copying the two example files *app.py* and
|
|
*evil.py* to your computer. The only dependency these examples need to run is `microdot`, so create a virtual environment and run:
|
|
|
|
pip install microdot
|
|
|
|
You need two terminals. On the first one, run:
|
|
|
|
python app.py
|
|
|
|
To see the application open *http://localhost:5000* on your web browser. The
|
|
application allows you to make payments through a web form. Each payment that
|
|
you make reduces the balance in your account. Type an amount in the form field and press the "Issue Payment" button to see how the balance decreases.
|
|
|
|
Leave the application running. On the second terminal run:
|
|
|
|
python evil.py
|
|
|
|
Open a second browser tab and navigate to *http://localhost:5001*. This
|
|
application simulates a malicious web site that tries to steal money from your
|
|
account. It does this by sending a cross-site form submission to the above
|
|
application.
|
|
|
|
The application presents a form that fools you into thinking you can win some
|
|
money. Clicking the button triggers the cross-site request to the form in the
|
|
first application, with the payment amount set to $100.
|
|
|
|
Because the application has CSRF protection enabled, the cross-site request
|
|
fails.
|
|
|
|
If you want to see how the attack can succeed, open *app.py* in your editor and
|
|
comment out the line that creates the ``csrf`` object. Restart *app.py* in your
|
|
first terminal, then go back to the second browser tab and click the
|
|
"Win $100!" button again. You will now see that the form is submitted
|
|
successfully and your balance in the first application is decremented by $100.
|