LAB 4 - CSRF where token is not tied to user session

Initial instructions

This lab's email change functionality is vulnerable to CSRF. It uses tokens to try to prevent CSRF attacks, but they aren't integrated into the site's session handling system.

To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer's email address.

You have two accounts on the application that you can use to help design your attack. The credentials are as follows: wiener:peter carlos:montoya

First of all lets login with wiener credentials and lets try update its email and intercept this request with Burpsuite.

If we send the first request it will be accepted.

But then the second time we send it again with the same CSRF will say its invalid.

So we have a single-use CSRF for each request.

Now lets try login with carlos credentials and try update that email, but we will take its CSRF and send it in our original request.

Then in our original session we replace our CSRF with this new one.

And if we send the request is being accepted.

Lets build our CSRF PoC for that we will need to generate another valid CSRF as Carlos and in our original request we will replace the CSRF for the Carlos one, then we will generate CSRF PoC and send it to the victim in the exploit server.

This is my CSRF PoC.

So I will send this to the victim like the following screenshot.

Congratulations, you solved the lab!