Solving Portswigger Academy: CSRF where token validation depends on request method
This lab’s email change functionality is vulnerable to CSRF. It attempts to block CSRF attacks, but only applies defenses to certain types of requests.
To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer’s email address.
You can log in to your own account using the following credentials:
wiener:peter
The description mentioned that the email change functionality is vulnerable to CSRF. Let’s login to the application and test that.
Let’s try to change the email and capture the request in burp.
Now instead of sending the original request, we will remove or tamper the CSRF token.
Remove the CSRF token and see how application behaves.It says Missing CSRF parameter.
Let’s same request again but this time tamper the csrf-token. Make note of original value of CSRF-token which is “J1artq9VFotqCXy0cfdblk6ymMTzWd8g”, now change last 2 characters and send the request. The response says ‘Invalid CSRF Token’
Now change the request method to GET and resend it.The server accepts the request and also processed it.
This proves application is vulnerable to CSRF if we change the attack method from POST to GET. Let’s remove CSRF token completely and test again. It works!!
Let’s use the plugin and generate the CSRF PoC. Change the email-id that you want to use and deliver it to victim.
