< Back





6. CSRF where token is duplicated in cookie

This web application is vulnerable to CSRF. An API endpoint and its parameters are well known, and
actions can be taken using a user's cookie without verifying the redirecting page. The browser
reuses the cookie for this site and submits a POST request on the user's behalf, forging the
request. CSRF tokens for this web application are not correlated with the user's session, but are
replicated from the crsf cookie provided by the server.

To solve this, we use an iframe / img tag to coerce the user's browser into visiting the /search
endpoint for the website. From here, we can set the user's csrf cookie to our csrf cookie. We then
use the CSRF cookie / token to change the user's email address, coercing the user's browser into
submitting a POST request to change their email address.


Solution

Script