Create Lab1.md

Portswigger/CSRF/Lab1.md

@@ -0,0 +1,35 @@
+# Portswigger CSRF Lab - 1 
+
+##  CSRF vulnerability with no defenses
+In this lab we have to perfrom CSRF (Cross Site Request Forgery) which allows a user to make unintentional requests like changing user's email address which is the objective of this lab
+
+<img src="https://i.imgur.com/YmaHQoB.png"/>
+
+We are given credentials to log into our account 
+
+<img src="https://i.imgur.com/6qHauWq.png"/>
+
+We can update the email address from this page but this isn't the way we have to update it 
+
+<img src="https://i.imgur.com/A1papzn.png"/>
+
+If we look at the source code we can see the html for this form 
+
+<img src="https://i.imgur.com/IXAAA6q.png"/>
+
+We have `Go to exploit ` server (I don't have it now since I have solved this lab) , so going to that we will have options like `store` , `exploit` ,`deliver exploit` and `access logs` so first we need to craf a csrf exploit for that we need to copy the same html form content and in `action` paramter we add the url with `/my-account/change-email` 
+
+```html
+<html>
+<body>
+<form action="https://ac771fae1eadea59c0730ef5005c00f2.web-security-academy.net/my-account/change-email" method="POST">
+<input required type="hidden" name="email" value="ez@swigger.com">
+</form>
+<script>
+document.forms[0].submit();
+</script>
+</body>
+</html>
+```
+
+It's not necessary to make the input hidden but real csrf attacks like this where you don't see any input when you click a link and something happens in the back , so this request will make the email changed to ez@swigger.com and with this we completed this lab