Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

CSRF labs exploit server delivery doesn't work

Teodor | Last updated: Apr 15, 2023 08:10PM UTC

Hello, In the past i solved these labs without any issue. Now i can't even "Solve" the easiest one, CSRF vulnerability with no defenses. If i view the exploit the mail updates. Delivering the exploit doesn't work, does the simulated user changed in some way? Tried every lab and this issue applies. I double checked every input. Thanks, T

Ben, PortSwigger Agent | Last updated: Apr 17, 2023 09:21AM UTC

Hi Teodor, To confirm, is your payload using the same email address when you both view the exploit (which works for you) and then attempt to deliver it to the victim user (which does not work for you)? If so, we recently altered the way that the Web Academy environment works - two users cannot now have the same email address in a single lab instance. When you perform the 'view exploit' functionality on your user, you are changing the email address associated with the 'wiener' user. When you then come to try and deliver the exploit to the victim user you are then attempting to assign the same email address to the 'carlos' user, which will now no longer work due to the aforementioned change. You would need to alter the email address before you use the 'deliver exploit' functionality so that a unique email is being used. We have added some text within a 'Hint' box on each of the labs affected by this change to explain this to the user.

Teodor | Last updated: Apr 17, 2023 08:10PM UTC

Hi Ben, The payload is not using the same email address. I checked again, there must be something with the Exploit server. Your email is: test@test.com Payload: (i also used burp pro poc generator in other tests) <form method="POST" action="https://ID.web-security-academy.net/my-account/change-email"> <input type="hidden" name="email" value="anything%40web-security-academy.net"> </form> <script> document.forms[0].submit(); </script> I store the payload then deliver it to victim. As mentioned, i already completed the labs before, the issue is not only with this CSRF lab but with all of them, i choosed this one because it's easy to reproduce.

Ben, PortSwigger Agent | Last updated: Apr 18, 2023 04:29PM UTC

Hi Teodor, Actually, if you use anything@web-security-academy.net rather than anything%40web-security-academy.net in your payload (so remove the encoding for the @ character) - does this allow you to solve this particular lab?

Teodor | Last updated: Apr 18, 2023 06:19PM UTC

Hi Ben, Just tried without encoding. Still not getting the lab solved after delivery. T

Ben, PortSwigger Agent | Last updated: Apr 19, 2023 10:37AM UTC

Hi Teodor, Out of interest, what browser are you using to carry out this particular lab? I have just gone through this lab again, as of now, and simply delivering the following payload in the Exploit Server will solve the lab for me so I am somewhat perplexed as to why this does not work for you: <form method="POST" action="https://0a9500990464c01c80ee17aa0011004e.web-security-academy.net/my-account/change-email"> <input type="hidden" name="email" value="test@test.com"> </form> <script> document.forms[0].submit(); </script>

Bro | Last updated: Jul 27, 2023 01:07PM UTC

Hi Ben I had the same problem. What helped for me was to switch from Chrome to Firefox. Once I clicked Deliver to Victim using Firefox, then lab marked itself as solved.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.