Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: CSRF where token is not tied to user session

Toufiq | Last updated: Jun 06, 2020 11:36AM UTC

Firstly, love your Web Security Academy. In Lab:CSRF where token is not tied to user session, I'm having problem solving the lab. According to the solution of this lab:- "Observe that if you swap the CSRF token with the value from the other account, then the request is accepted. " After swapping the CSRF token the Response I got is this:- ----------------------------- HTTP/1.1 400 Bad Request Content-Type: application/json; charset=utf-8 X-XSS-Protection: 0 Connection: close Content-Length: 20 "Invalid CSRF token" ----------------------------- Then I tried resend the request without swapping the CSRF token with same account, the response I got was same as above response. Then by intercepting the POST request for change email 3 times, I found that every time new CSRF token is generate (it's not supposed to happen):- -----------------First------------------------------------------ POST /email/change-email HTTP/1.1 Host: acc21fb41ee34de080e60e9f005f0050.web-security-academy.net User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://acc21fb41ee34de080e60e9f005f0050.web-security-academy.net/email Content-Type: application/x-www-form-urlencoded Content-Length: 61 DNT: 1 Connection: close Cookie: session=v55Tv9jvEhjUnE1GsZuoX7otKQGLE2mD Upgrade-Insecure-Requests: 1 email=black%40gmail.com&csrf=yKcJkW9E5wjiHmBcyrfMzpbpMCXlElvI ------------------SECOND--------------------------- POST /email/change-email HTTP/1.1 Host: acc21fb41ee34de080e60e9f005f0050.web-security-academy.net User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://acc21fb41ee34de080e60e9f005f0050.web-security-academy.net/email Content-Type: application/x-www-form-urlencoded Content-Length: 61 DNT: 1 Connection: close Cookie: session=v55Tv9jvEhjUnE1GsZuoX7otKQGLE2mD Upgrade-Insecure-Requests: 1 email=black%40gmail.com&csrf=WqpTs3Tb1cdGfxxBzCcxs3TP7zaAfggo ----------------------Third------------------------ POST /email/change-email HTTP/1.1 Host: acc21fb41ee34de080e60e9f005f0050.web-security-academy.net User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://acc21fb41ee34de080e60e9f005f0050.web-security-academy.net/email Content-Type: application/x-www-form-urlencoded Content-Length: 61 DNT: 1 Connection: close Cookie: session=v55Tv9jvEhjUnE1GsZuoX7otKQGLE2mD Upgrade-Insecure-Requests: 1 email=black%40gmail.com&csrf=noiA2Y1vmFgJq4K7HZTTbGP9U8hi04Aq --------------------------------------------------- I don't know if it's just for me or I'm doing Something wrong. PS:Sorry, my English is not that good.

Uthman, PortSwigger Agent | Last updated: Jun 08, 2020 08:58AM UTC

Hi Toufiq, Have you taken a look at any video solutions? - https://www.youtube.com/watch?v=JKwTX9wjeec The tokens are single-use so the fact that they are dynamically updating with each request is normal.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.