Tech Click

← all labs

CSRF — Missing Token on Money Transfer

Easy Broken Access Control · A01:2021 20 min

Flag submissions require login via tc_sso. Reading instructions does not.

CSRF — Money Transfer with No Token

Scenario

AcmeBank's transfer form accepts a POST to /transfer with two fields: to (recipient account) and amount. There is no CSRF token on this form. The session cookie is auto-included on every same-site POST.

Your task: prove you understand CSRF by submitting the attacker-controlled payload that would drain $9999 to account attacker-acct-666 if a victim clicked your malicious page.

Objective

Open the simulated attacker page (right pane: click the "Visit attacker.example" button). It auto-submits a CSRF transfer. After it fires, AcmeBank reveals the flag in the response body. Copy that flag.

Why the form is vulnerable

  • No hidden anti-CSRF token (<input type="hidden" name="_csrf">).
  • Cookie has no SameSite=Strict attribute → it's sent on cross-origin POSTs.
  • No origin / referer verification on the server.

The flag

Look for the TC{csrf_…} string that AcmeBank logs into the page after the forged transfer succeeds.

Hints

Hint 1 (−10 pts)

First log into AcmeBank (any username/password — it accepts any). Then click 'Visit attacker.example' to simulate the victim falling for a malicious link.

Hint 2 (−10 pts)

The attacker page contains an auto-submitting form pointing at AcmeBank's /transfer endpoint. Cookie travels with it. Server processes it. Flag appears in the post-transfer notification.

Hint 3 (−10 pts)

Full flag: TC{csrf_no_token_no_samesite_easy_win}

Lab environment · sandboxed iframe · auto-resets every 60 min