>
Software Security Training

Exercise: The Invisible Request (CSRF)

In this activity, you will prevent Cross-Site Request Forgery (CSRF) by validating unique tokens.

Scenario: A hacker has created a hidden form on their website. When logged-in users visit it, their browser automatically sends a "Transfer $1,000" request to your bank. Because they have a valid session cookie, the bank processes it!

Your Task

Modify the `process_transfer` function to verify the request:

  1. Check Session: Ensure the user is logged in (already done).
  2. Validate Token: Compare the `user_token` (from the form) against the `session_token` (from the server).
  3. Block if Mismatch: If they don't match, return "Access Denied".
PYTHON EDITOR (bank_module.py) Engine: Initializing...
1
SERVER LOGS
Ready... Waiting for transfer requests.
from js import window import secrets window.python_is_ready = True try: document = window.document status = document.getElementById("engine-status") status.innerHTML = "Engine: Python Active" except: pass def python_test_logic(user_code): results = [] def add_log(msg, type="normal"): results.append({"msg": msg, "type": type}) add_log("[SYSTEM] Starting Bank Server...", "system") # Setup Mock Session server_token = secrets.token_hex(16) user_session = { 'username': 'Alice', 'csrf_token': server_token } # Hacker's fake token (or no token) hacker_token = "fake_token_123" try: # Load user code exec_globals = {} exec(user_code, exec_globals) if "process_transfer" not in exec_globals: add_log("[!] Error: Function 'process_transfer' not found.", "fail") return results, "FAILED" process_transfer = exec_globals["process_transfer"] # --- TEST 1: CSRF ATTACK (Must Fail) --- add_log("--- TEST 1: CSRF Attack Simulation ---", "system") add_log(f" [HACKER] Sending transfer request...", "info") add_log(f" [HACKER] Token used: '{hacker_token}' (INVALID)", "info") result_attack = process_transfer(user_session, 1000, hacker_token) if "Success" in result_attack: add_log(f" -> SERVER RESPONSE: {result_attack}", "fail") add_log(" -> FAIL: CSRF Attack Successful! Money stolen.", "fail") return results, "FAILED - Hacked" else: add_log(f" -> SERVER RESPONSE: {result_attack}", "pass") add_log(" -> PASS: Malicious request blocked.", "pass") # --- TEST 2: LEGITIMATE REQUEST (Must Succeed) --- add_log("--- TEST 2: Valid User Request ---", "system") add_log(f" [USER] Sending transfer request...", "info") add_log(f" [USER] Token used: '{server_token}' (VALID)", "info") result_valid = process_transfer(user_session, 50, server_token) if "Success" in result_valid: add_log(f" -> SERVER RESPONSE: {result_valid}", "pass") add_log(" SUCCESS: CSRF Token logic is correct.", "pass") return results, "PASSED - Secure" else: add_log(f" -> SERVER RESPONSE: {result_valid}", "fail") add_log(" -> FAIL: Valid request was blocked!", "fail") return results, "FAILED - Logic Error" except Exception as e: add_log(f"[!] Runtime Error: {e}", "fail") return results, "ERROR" return results, "UNKNOWN" window.python_test_runner = python_test_logic