LAB 3 - CSRF where token validation depends on token being present

Initial instructions

This lab's email change functionality is vulnerable to CSRF.

To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer's email address.

You can log in to your own account using the following credentials: wiener:peter

First of all lets update email address and intercept this request using Burpsuite.

Lets send this request to the repeater and lets try change the CSRF, if we change it the server will reply like that:

So lets delete it completely and send the request. Now the request is being accepted.

Lets generate a CSRF PoC and send it to the victim.

Lets go to exploit server and paste that CSRF PoC now lets send it to the victim. (Remember change email for another one.)

Congratulations, you solved the lab!