The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Problem in payload suggested to solve lab "CSRF vulnerability with no defenses"

Nicola | Last updated: Nov 22, 2023 01:28PM UTC

Hi guys, I have noticed a problem in the payload you suggested for solving the lab "CSRF vulnerability with no defenses", namely in this specific part: name="email" value="anything%40web-security-academy.net"> The value of the "value" HTML attribute in the input tag is the urleconded version of the "@" symbol. However, an urleconded value is 1) not needed here given that we are dealing with a POST, not a GET request; 2) it breaks the payload making it ineffective. This bug took me a couple of hours to identify, but, on the positive, I have dug deeper into CSRF exploitation methodologies so it was not all time wasted. Please correct it so other users will not find themselves in the same situation, thanks you.

Michelle, PortSwigger Agent | Last updated: Nov 23, 2023 10:34AM UTC