Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Presentation Demos for the IT Security Symposium
JavaScript C#
branch: master


Demo stuff for the 2011 UCDavis IT Security Symposium.

* Demo the banking application
* Now to the evil side
* First we can do a get request that changes money.  This is bad, only idempotent operations should be GET.
* Change to post, now it will not work.
* Now evil bank does post example, which works.  This is of course because there is no authorization being preformed.
* Showing the above is optional really, not a CSRF attack
* Now, lock down to authorize
* For CSRF #1, get user to visit http://localhost:5416/Csrf/GetForgeryPage.  This is the GET attack example.
* For CSRF #2, get user to visit http://localhost:5416/Csrf/PostForgeryPage.  This is the POST attack.
* Solve the post attack by adding an antiforgerytoken.
Something went wrong with that request. Please try again.