Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: CSRF where token is not tied to user session

Toufiq | Last updated: Jun 06, 2020 11:36AM UTC

Firstly, love your Web Security Academy. In Lab:CSRF where token is not tied to user session, I'm having problem solving the lab. According to the solution of this lab:- "Observe that if you swap the CSRF token with the value from the other account, then the request is accepted. " After swapping the CSRF token the Response I got is this:- ----------------------------- HTTP/1.1 400 Bad Request Content-Type: application/json; charset=utf-8 X-XSS-Protection: 0 Connection: close Content-Length: 20 "Invalid CSRF token" ----------------------------- Then I tried resend the request without swapping the CSRF token with same account, the response I got was same as above response. Then by intercepting the POST request for change email 3 times, I found that every time new CSRF token is generate (it's not supposed to happen):- -----------------First------------------------------------------ POST /email/change-email HTTP/1.1 Host: acc21fb41ee34de080e60e9f005f0050.web-security-academy.net User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://acc21fb41ee34de080e60e9f005f0050.web-security-academy.net/email Content-Type: application/x-www-form-urlencoded Content-Length: 61 DNT: 1 Connection: close Cookie: session=v55Tv9jvEhjUnE1GsZuoX7otKQGLE2mD Upgrade-Insecure-Requests: 1 email=black%40gmail.com&csrf=yKcJkW9E5wjiHmBcyrfMzpbpMCXlElvI ------------------SECOND--------------------------- POST /email/change-email HTTP/1.1 Host: acc21fb41ee34de080e60e9f005f0050.web-security-academy.net User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://acc21fb41ee34de080e60e9f005f0050.web-security-academy.net/email Content-Type: application/x-www-form-urlencoded Content-Length: 61 DNT: 1 Connection: close Cookie: session=v55Tv9jvEhjUnE1GsZuoX7otKQGLE2mD Upgrade-Insecure-Requests: 1 email=black%40gmail.com&csrf=WqpTs3Tb1cdGfxxBzCcxs3TP7zaAfggo ----------------------Third------------------------ POST /email/change-email HTTP/1.1 Host: acc21fb41ee34de080e60e9f005f0050.web-security-academy.net User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://acc21fb41ee34de080e60e9f005f0050.web-security-academy.net/email Content-Type: application/x-www-form-urlencoded Content-Length: 61 DNT: 1 Connection: close Cookie: session=v55Tv9jvEhjUnE1GsZuoX7otKQGLE2mD Upgrade-Insecure-Requests: 1 email=black%40gmail.com&csrf=noiA2Y1vmFgJq4K7HZTTbGP9U8hi04Aq --------------------------------------------------- I don't know if it's just for me or I'm doing Something wrong. PS:Sorry, my English is not that good.

Uthman, PortSwigger Agent | Last updated: Jun 08, 2020 08:58AM UTC