Run the following Docker image:
docker run -p 8080:8080 -t arcuri82/bank-unsecure
Such web application represents an extremely simplified bank.
Open the page at localhost:8080 with 2 different browsers, e.g.,
Chrome and Firefox.
In each of them, sign up with two different accounts, e.g.,
A (on Chrome) and B (on Firefox/Safari/Edge).
Each account starts with 1000 credits.
It is important to use 2 different browsers, so session cookies are not shared,
and can login with 2 different users at the same time from the same machine.
From A, do transfer some credit to B (e.g., 200). Refresh the page
in B to verify the money has been transferred (e.g., B should have 1200
credits now). Transfer the money back, so that both A and B have the same
starting amount of credits.
In B, logout and create an account for a user called eve (note, use this
exact name, it is important).
From the browser of A, while A is logged in, open the index_ajax.html
file from this folder.
Assume A was tricked to visit such page via Social Engineering.
Such page will try to transfer 1000 credits from the currently logged in user
toward eve.
However, such attempt should fail.
Read the source code of index_ajax.html to understand what it is trying
to do under the hood.
In Chrome Developer Tools, look at the Console to see what was the problem.
Make sure you are able to explain why such attack did fail.
Using a index_ajax.html as a starting point template, fix such page
to rather use a hidden POST form triggered automatically by JavaScript
at page load.
Open such page from the same browser of where A is logged in.
Verify (e.g., by refreshing the pages) that 1000 credits are automatically transferred to (i.e., stolen by)
eve.
Solutions to this exercise can be found under the
solutions/09 folder.