Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

CSRF where token is duplicated in cookie && CSRF where token is tied to non-session cookie - Payloads work, but unable to replicate behavior.

João | Last updated: Jun 04, 2024 04:31PM UTC

When coming across these 2 labs I realize that I am unable to test the exploit on myself, even if it works for the victim. I am using the Burp Chromium browser (Version 125.0.6422.112). I've lost some time trying to understand this. Steps I followed: 1. The session and crsf tokens are set by the server with `Secure; HttpOnly; SameSite=None` flags. 2. Used the solution payload `<img src="https://YOUR-LAB-ID.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrf=fake%3b%20SameSite=None" onerror="console.log('Error');"/>` (without the form and form submit) 3. Use exploit on myself What I observed is the browser blocks third-party cookies, ergo, it does not include the `session` and `csrf` cookies. Stating the issue thrown by Chrome: "Cookies with the SameSite=None; Secure and not Partitioned attributes that operate in cross-site contexts are third-party cookies. Chrome blocks third-party cookies to protect user data from cross-site tracking." With this behavior I think it is not possible to exploit these labs, as submitting the necessary form to solve the lab depends on setting the `csrf cookie` through CR+LF injection to that user's session. Am I missing something or with these browser settings, these labs are impossible to replicate?

João | Last updated: Jun 04, 2024 04:52PM UTC

Link Chrome "Prepare for phasing out third-party cookies": https://goo.gle/3pcd-dev-issue

Ben, PortSwigger Agent | Last updated: Jun 05, 2024 07:23AM UTC