Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

How do I validate Academy CSRF lab solutions?

Joonas | Last updated: Apr 29, 2020 05:43AM UTC

I have trouble solving the CSRF labs in the academy. I have so far tested the first two of them, but can't figure out why the lab thinks the solutions are incorrect. Is there something else that needs to be done to validate the solution with the lab other than storing the response on the provided exploit server? Based on my proxy history the attack seems to be working as intended as I receive the same response from the target application as I do while changing my email directly in the application. However, I'm unable to manually verify if changing the email address has any impact since I haven't yet found a place where the application would display the currently set email address. I have also tried to follow the provided Solutions step-by-step, both using the Burp Professional method of relying on CSRF PoC generator and by manually copy/pasting the provided template and replacing the values. Is there a bug in the way the lab checks the solution or am I just missing something?

Michelle, PortSwigger Agent | Last updated: Apr 29, 2020 08:25AM UTC

Thanks for getting in touch, I hope you're enjoying the labs! Can you confirm the names of the labs you're working on to make sure we're checking the same ones, please? For the labs 'CSRF vulnerability with no defenses' and 'CSRF where token validation depends on request method' you can verify the exploit by clicking on 'View Exploit' If you want to send us any screenshots of what you're trying to help describe things, you can always send an email to support@portswigger.net

Joonas | Last updated: Apr 29, 2020 09:27AM UTC