Home

/

Test

/

CSRF Login attack

CSRF Login attack

Hackers trick users to log into their account by forging requests, exploiting server authentication.

Broken User Authentication (BUA)

"A login CSRF attack involves hackers tricking users into logging into an attacker-controlled account." "By forging a request using their credentials and submitting it to the victim's browser, the server mistakenly authenticates the request, granting access to the attacker's account."

"A login CSRF attack involves hackers tricking users into logging into an attacker-controlled account." "By forging a request using their credentials and submitting it to the victim's browser, the server mistakenly authenticates the request, granting access to the attacker's account."

Impact of the vulnerability

Impact of the vulnerability

"Depending on the user account and information exposed, the impacts of an attack range from mild to severe." "Some consequences of a successful login CSRF attack include: Deployment of malicious code, Unauthorized financial transactions and Data breach and sensitive information exposure"

"Depending on the user account and information exposed, the impacts of an attack range from mild to severe." "Some consequences of a successful login CSRF attack include: Deployment of malicious code, Unauthorized financial transactions and Data breach and sensitive information exposure"

How this template works

APIs Selection

The template uses API selection filters to specify criteria for selecting the desired API requests. In this case, it filters requests based on the response code being between 200 and 299, the URL containing certain keywords related to login, and the request payload containing certain keywords related to passwords.

Execute request

The template specifies a single request to be executed. It deletes a specific header from the request using the extracted value from the request headers. This step is performed to simulate the removal of a potentially vulnerable header that could be exploited in a CSRF login attack.

Validation

The template defines validation criteria for the response received from the executed request. It checks that the response code is between 200 and 299, the response payload matches at least 80% of the expected payload, and the response length is greater than 0. These validations ensure that the request was successful and the response meets the expected criteria.

Frequently asked questions

What is the purpose of the CSRF_LOGIN_ATTACK array in this test

What is the purpose of the CSRF_LOGIN_ATTACK array in this test

What is the purpose of the CSRF_LOGIN_ATTACK array in this test

How are the API selection filters used in this test

How are the API selection filters used in this test

How are the API selection filters used in this test

What does the execute section of the test do

What does the execute section of the test do

What does the execute section of the test do

How is the response validated in this test

How is the response validated in this test

How is the response validated in this test

What are some potential impacts of a successful login CSRF attack

What are some potential impacts of a successful login CSRF attack

What are some potential impacts of a successful login CSRF attack

What are some references for further information on CSRF login attacks

What are some references for further information on CSRF login attacks

What are some references for further information on CSRF login attacks

Loved by security teams!

Loved by security teams!

Product Hunt Badge

"We are absolutely thrilled with the testing feature of Akto. We have used it on our graphQL endpoints and it performs flawlessly identifying common API security issues. It's truly a game-changer and we highly recommend Akto to anyone looking to effortlessly secure their API endpoints. With a user-friendly interface, it's the perfect solution for anyone looking to embrace custom rules with context to reduce false positives."

Loom Company logo

Security team,

Loom

"We are absolutely thrilled with the testing feature of Akto. We have used it on our graphQL endpoints and it performs flawlessly identifying common API security issues. It's truly a game-changer and we highly recommend Akto to anyone looking to effortlessly secure their API endpoints. With a user-friendly interface, it's the perfect solution for anyone looking to embrace custom rules with context to reduce false positives."

Loom Company logo

Security team,

Loom

"We are absolutely thrilled with the testing feature of Akto. We have used it on our graphQL endpoints and it performs flawlessly identifying common API security issues. It's truly a game-changer and we highly recommend Akto to anyone looking to effortlessly secure their API endpoints. With a user-friendly interface, it's the perfect solution for anyone looking to embrace custom rules with context to reduce false positives."

Loom Company logo

Security team,

Loom

"The text editor in Akto is absolutely remarkable. Its user-friendly YAML format strikes the perfect balance between simplicity and power. With intuitive features like 'API selection filter', 'Execute', Validate' creating test rules becomes incredibly easy. Akto's test editor is a game-changer, enabling seamless creation of highly personalized and effective tests that could meet the needs of any modern day organization. "

Rippling Company logo

Security team,

Rippling

"The text editor in Akto is absolutely remarkable. Its user-friendly YAML format strikes the perfect balance between simplicity and power. With intuitive features like 'API selection filter', 'Execute', Validate' creating test rules becomes incredibly easy. Akto's test editor is a game-changer, enabling seamless creation of highly personalized and effective tests that could meet the needs of any modern day organization. "

Rippling Company logo

Security team,

Rippling

"The text editor in Akto is absolutely remarkable. Its user-friendly YAML format strikes the perfect balance between simplicity and power. With intuitive features like 'API selection filter', 'Execute', Validate' creating test rules becomes incredibly easy. Akto's test editor is a game-changer, enabling seamless creation of highly personalized and effective tests that could meet the needs of any modern day organization. "

Rippling Company logo

Security team,

Rippling

Explore other tests

JWT authentication bypass via jku header injection

JWT Failed to verify Signature

JWT None Algorithm

Broken Authentication by removing auth token

CSRF test by removing csrf token

CSRF test by replacing with invalid csrf token

Learn more:

Exploring CSRF
Exploring CSRF
Exploring CSRF

Content

9 mins

Exploring Cross-Site Request Forgery (CSRF) vulnerabilities: Still a threat!

top-10-owasp-apisecurity-2019
top-10-owasp-apisecurity-2019
top-10-owasp-apisecurity-2019

Content

10 min read

What's changed in OWASP API Security Top 10 2023 Release Candidate from 2019?

Suggest API security tests

Suggest API security tests

We're actively building the test library. Suggest a test! If we like your suggestion, you will see it in the library in few days.

We're actively building the test library. Suggest a test! If we like your suggestion, you will see it in the library in few days.