Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

CSRF lab issues

adotvoid | Last updated: Jan 28, 2023 03:57PM UTC

Seems like there are some issues with the CSRF labs. I've tried using a variety of solutions for most of the day now and none of them seem to be working (or the first five I've tried anyway). The exploit server simply goes back to the login page of the web app after I click 'Deliver exploit to victim'. I've used a number of payloads both from the solution drop-down and the community solutions drop-down and none of these are working. These labs are great, but this problem makes for quite a frustrating experience.

Ben, PortSwigger Agent | Last updated: Jan 30, 2023 08:17AM UTC

Hi, I have just run through the first lab in this topic ('CSRF vulnerability with no defenses') and been able to solve it following the solution - was this was one of the labs that you struggled with? If so, are you able to provide us with some details of the steps that you are taking to try and solve this? If this is not one of the labs that you are having issues with, are you able to provide us with a specific lab, alongside the steps that you have taken, so that we can hone in on this specific lab and double check the details?

Henri | Last updated: Jul 24, 2024 04:27PM UTC

Hello, I also have some issues with some labs in csrf such as this one : https://portswigger.net/web-security/learning-paths/csrf/csrf-common-flaws-in-csrf-token-validation/csrf/bypassing-token-validation/lab-token-duplicated-in-cookie# Using the solutions, the cookie is indeed set with the the image. We can see the server replying : ``` HTTP/2 200 OK Set-Cookie: LastSearchTerm=test Set-Cookie: csrf=fake; Secure; ``` But in the next request the csrf cookie is not set ``` POST /my-account/change-email HTTP/2 Host: LAB-ID.web-security-academy.net Cookie: csrf=u3eqquIci0U7hQ7NyiAPOp4KgHV4jw0q; session=.... ```

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.