• caglararli@hotmail.com
  • 05386281520

CSRF not sending correct cookie (Damn Vulnerable Web App test)

Çağlar Arlı      -    17 Views

CSRF not sending correct cookie (Damn Vulnerable Web App test)

I am working on the DVWA's CSRF lab with the security setting to low. The DVWA is running on localhost:4280. The SameSite cookie attribute is not set (to Lax or Strict), and thus cross-site requests should be possible.

On http://localhost:80/, index.html contains this snippet:

<img src="" onerror="fetch('http://localhost:4280/vulnerabilities/csrf/?password_new=test&password_conf=test&Change=Change', { method: 'GET', credentials: 'include' });" hidden>

Cookies are not shared automatically cross-site, hence the credentials are included verbatim. It should allow the request to get through to the DVWA server (even though we cannot read the response due to CORS).

The password change is unsuccessful and Firefox dev tools gives an indication as to the why; the cookie is sent but has a different PHPSESSID and security level.

What could be the issue?

I'm logged in to DVWA; both 'sites' are open on different tabs in Firefox.