Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Exploiting NoSQL operator injection to extract unknown fields

Rubén | Last updated: Oct 22, 2023 07:53AM UTC

Hello, I post in bug reports because I dont know what else to do XD Is the lab mentioned in the subject working as intended? I have tried four times, if not more, to solve this lab and everytime I try to change the password for carlos's account I get the next error code: Invalid CSRF token (session does not have a csrf). Every previous step works like a charm but at the moment of updating passwords I get that error which is weird since there is, actually, a csrf parameter in the request for changing passwords. Yesterday I thought I was so slow doing the lab that the csrf-token or the session-token had expired but today I've done the exercise by heart, going straight to the point, and it has taken me about fifteen minutes to do the whole thing so I dont think the csrf and session tokens expired so fast. I would appreciate any help or hints. I dont know where to look to find out the info I need to solve the exercise. Cheers :))

Ben, PortSwigger Agent | Last updated: Oct 23, 2023 10:40AM UTC

Hi, Yes, the lab does appear to be working as expected. Have you carried out step 4 from the solution - the step to reset the 'carlos' users password?

Rubén | Last updated: Oct 23, 2023 12:25PM UTC

Hello, Ben, The invalid csrf token (this session does not have a csrf token) error pops after submitting the new password. It is like is failing to validate the input to actually reset carlos's password. Cheers!

Ben, PortSwigger Agent | Last updated: Oct 23, 2023 01:03PM UTC

Hi, Are you able to confirm exactly what steps you have carried out when you observe this so that we can see exactly what you have done up to this point?

Rubén | Last updated: Oct 23, 2023 02:21PM UTC

I followed the write up for the lab and still got the same issue. I did not ask here because I could not resolve the lab but because following the write up was not helping me in solving the lab. Every step works fine, well, there is a caveat: when I tried to retrieve the value of the reset-password token I could not do it with a cluster-bomb attack because it would only give me two characters so I tried with sniper attack, changing the character position manually every atttack, and I managed to get a valid token (I know because to confirm the parameter's name I submitted "invalid" as value and got the invalid token error, meaning the parameter was the right one) which redirected me to the reset password form. I introduced a new password, confirmed it and submitted the form. And then, instead of being able to log in into carlos's account, I got the "invalid csrf token..." error. I dont know what I am missing. Cheers.

Ben, PortSwigger Agent | Last updated: Oct 24, 2023 09:20AM UTC

Hi, It might well be easier to email us at support@portswigger.net and include details of the steps that you are taking, alongside screenshots, so that we can see exactly what you are doing at each stage of the solution. Are you able to do that for us so that we can see this more clearly?

Rubén | Last updated: Oct 24, 2023 11:04AM UTC

Yes, I will do it as soon as I can. Hopefully in the process I will notice where I am messing things up :) Cheers!

Ben, PortSwigger Agent | Last updated: Oct 25, 2023 07:15AM UTC

Thank you! Look forward to receiving the email in due course.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.