I have tried CSRF attack on web vulnerability application known as DVWA at my localhost and on kali linux OS. I have changed password on this application by using CSRF. It has collected following log entries in access log.
127.0.0.1 - - [15/Dec/2018:22:01:21 +0530] "GET /DVWA/vulnerabilities/csrf/?password_new=abc123&password_conf=abc123&Change=Change HTTP/1.1" 200 4303
If any authenticated user will try to change the password, then same entries will be there in log file.
I want to know that what are be the common/expert features in log file which will identify that CSRF attack has been performed.
Note - I am doing log analysis in order to write an algorithm which will increase the accuracy in finding out the suspicious users through log file based upon the features of CSRF. I want help to find out the features. I have read this important link's information about CSRF features in Log file. Your help would be appreciated.