This lab contains login functionality and a delete account button that is protected by a CSRF token. The goal of the lab is to entice the use into deleting their account.
To solve the lab, craft some HTML that frames the account page and fools the user into deleting their account. The account is solved when the account is deleted.
You have an account on the application that you can use to help design your attack. The credentials are: carlos / montoya.
The victim will be using Chrome so test your exploit on that browser.
Login to the account on the target website.
Use the following HTML template and provide the details as follows:
Go to the exploit server, paste your exploit HTML into the "Body text" box, and click "Store".
Click "View stored response".
Hover over "Test me" and ensure the cursor changes to a hand indicating that the div element is positioned correctly. If not, adjust the position of the div element by modifying the top and left properties of the style sheet.
Once you have the div element lined up correctly, change "Test me" to "Click me" and click "Store".
The simulated victim now clicks on the div element and the lab should be solved.
If you reload the account page then you will observe that you are now unauthorized to access the account as it has been deleted.