Lab: CSRF where token is tied to non-session cookie

Posted on | Post modified | In |

Lab: CSRF where token is tied to non-session cookie

tags: Portswigger Web Security Academy Web
  • Description: This lab’s email change functionality is vulnerable to CSRF. It uses tokens to try to prevent CSRF attacks, but they aren’t fully integrated into the site’s session handling system.

  • Goal: To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer’s email address. You have two accounts on the application that you can use to help design your attack. The credentials are as follows: wiener:peter carlos:montoya

  • Hint:

Recon

  1. Username: wiener Session: XdagGBS9LPa7P1t3m5sxhxNdGNSF567a CSRF Key: liMgrTpwX5psfFRMCHyzuuH6GDT0va5v CSRF Token: ZZYoEyE0OQqp1rvb6XCgs4Uz9us4OCgG

    Something interesting: when I logout and re-login again, the session changed and the others data are the same

  2. Username: carlos Session: eblGI5f9PddGlEpYdJvsIUe6chNkLjrd CSRF Key: liMgrTpwX5psfFRMCHyzuuH6GDT0va5v $\to$ The same with wiener CSRF Token: ZZYoEyE0OQqp1rvb6XCgs4Uz9us4OCgG $\to$ The same with wiener

Exp

:::spoiler Success Screenshot

:::

Reference

Writeup: CSRF where token is tied to non-session cookie @ PortSwigger Academy