CSRF - Cross-site Request Forgery.
The explanation how it works is out of scope of our post, there is a lot of information on the internet.
The purpose of the post is to give you the idea how you can implement CSRF tests for your site using Selenium WebDriver in Java. The exact implementation depends on your project.
How to test CSRF
To test CSRF we should follow these steps
Log in to the site we need to test
Try to send a request (in our case a change password request) to the site from another site (or from a local html page)
CSRF test. CSRF attack from local html page
This is how our regular test (without CSRF attack) could look:
Now let’s try to implement a CSRF test - after logging in we should open the local html file that contains the same form as ChangePasswordPage has.
That form sends attacker’s new password to the site.
We save that file (change-password.html) in the resources folder.
When we logged in we have to open the file and submit the from with attacker’s new password.
The test might look like this
We can also verify that the password wasn’t changed
CSRF test. CSRF attack - replacing innerHTML
Now we want to test CSRF using another approach. The difference is that instead of loading a local html file we go to another site (say www.google.com) and then just replace html of the page with the content of our file.
The test that simulate a SCRF attack would look like this