Cross-Site Request Forgery (CSRF) is a type of web security vulnerability that allows attackers to trick victims into executing unwanted actions on a web application in which they are currently authenticated. In simpler terms, it's a way for an attacker to make your web browser do something you didn't intend to do, even if you're logged into a trusted website.
● Transfer money out of your bank account
● Change your password
● Post embarrassing content on your social media accounts
● Buy items on your online shopping car
There are two main ways that CSRF attacks can be carried out:
1. Tricking the victim into clicking on a malicious link: The attacker can send the victim a link that, when clicked, sends a forged request to the targeted website. The link could be embedded in an email, social media post, or even a seemingly harmless image.
2. Embedding malicious code on a website: The attacker can embed malicious code on awebsite that the victim is likely to visit. This code can then send a forged request to the targeted website without the victim's knowledge or consent
Step 1: Open Burp's browser and log in to your account. Submit the "add admin" form, and find the resulting request in your Proxy history.
Step 2: If you're using Burp Suite Professional, right-click on the request and select Engagement tools / Generate CSRF PoC.
Step 3: Alternatively, if you're using Burp Suite Community Edition, use the following "https://tools.nakanosec.com/csrf/" just submit the "POST" request it will be convert into html.
Step 4: Send the file to victim when victim click this file you will be admin of the victim company.