There's cross site request forgery (CSRF) protection, but how good is it?

Last completed by arthusu

Challenge Information

<font color=red>Note: Use a keen eye on this challenge to notice what's happening</font> <br><br> Our admin panel was hacked because someone discovered a way to force a request to be sent when we visited a malicious website. I got John onto it and he added CSRF protection, and even did some checks to make sure no-one was trying to iframe us from their site! I think we're safe now. I've learnt on what CSRF is and i'm pretty sure no-one can force the admin password to be reset if we were tricked onto another malicious site. <br><br> <b>Challenge target</b>: Can you successfully force the admin password to be updated via CSRF? This means you must be on YOUR site and be able to force the data to be updated successfully. You must see the "Changes saved!" message in green (or prove it with screenshot of request), and your attack should require no more than 1 user interaction.

Finished the challenge? Submit your answer

Challenge Answer
Reveal answer