Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: CSRF with broken Referer validation. Why

Lei-Hyun | Last updated: Aug 26, 2021 11:55AM UTC

In Lab: CSRF with broken Referer validation, I tried the solution mentioned in (https://portswigger.net/web-security/csrf) and set Referrer-Policy: unsafe-url. But, it didn't work and the browser still sent the trimmed url as the referer header. Why is that? Is the solution wrong?

Lei-Hyun | Last updated: Aug 26, 2021 12:07PM UTC

e.g., it didn't contain the default /exploit. My solution was to mention the vulnerable website's url somewhere in there.

Lei-Hyun | Last updated: Aug 26, 2021 12:11PM UTC

I found the problem. It was because of the existence of history.pushState('', '', '/') in the scripts.

Lei-Hyun | Last updated: Aug 26, 2021 12:14PM UTC

By removing it, it works on my browser but I don't know why the lab is not solved when sent to the victim.

Ben, PortSwigger Agent | Last updated: Aug 27, 2021 08:41AM UTC

Hi, I have just run through this lab and was able to solve it using the solution provided. It appears to be working as expected. Are you able to clarify the exact steps that you have carried out so far? If it is easier to provide us with screenshots then please feel free to email us at support@portswigger.net and include these.

Lei-Hyun | Last updated: Aug 27, 2021 12:22PM UTC

I don't have a problem with the solution of the lab. My problem is why the method mentioned in the link I provided didn't solve the lab (when sent to the victim).

Ben, PortSwigger Agent | Last updated: Aug 27, 2021 02:13PM UTC

Hi, Yes, it is not immediately clear what you have carried out in order to get to the solution that you are trying to implement (I see you have mentioned the link to https://portswigger.net/web-security/csrf but am unclear as to what exactly you have carried out from this page in order to try and solve the lab). If you can provide us with some precise details of the steps you have taken then we can take a look for you.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.