HACKR.GG
hackr.gg — Account Settings — Crapazon Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

Account Settings — Crapazon

CSRF · Cross-Site Request Forgery (CSRF)
Difficulty
Easy
Vuln class
Cross-Site Request Forgery (CSRF)
Steps
5
// Objective
Craft a malicious page that silently changes Alice's email address on Crapazon when she visits it, demonstrating a CSRF attack.
// Tools required
BrowserDeveloper Tools
// Step-by-step walkthrough
1
Inspect the account settings form
Log in as Alice using the provided credentials and navigate to Account Settings. Open DevTools → Network tab, then submit the "Change Email" form and observe the request.
Command / Input
POST /account/update-email Content-Type: application/x-www-form-urlencoded email=alice@example.com
Notice there is no CSRF token in the request body or headers. The server relies purely on the session cookie — which the browser sends automatically with every request.
2
Understand why this is exploitable
Browsers automatically attach cookies to any request to a matching domain, regardless of which site triggered the request. Without a CSRF token, the server cannot distinguish a legitimate user action from one triggered by a malicious third-party site.
3
Open the attacker page in the lab
The lab includes a pre-built "attacker.html" page. Open it in the lab browser — this simulates Alice visiting a malicious site while still logged in to Crapazon.
The attacker page contains a hidden form that auto-submits to the Crapazon endpoint the moment the page loads.
4
Observe the email change
Switch back to the Crapazon tab and refresh Account Settings. Alice's email has been changed without her knowledge or consent.
Output
Email updated to: attacker@evil.com
5
Retrieve the flag
After the CSRF attack succeeds, the flag is displayed on the confirmation page inside the attacker frame.
Output
HackrGG{csrf_f0rc3d_4cc0unt_upd4t3}
A real CSRF attack could change passwords, transfer funds, or modify any state-changing endpoint that lacks token validation.
// Flag
Flag value
HackrGG{csrf_f0rc3d_4cc0unt_upd4t3}
Displayed after the CSRF form submission succeeds and Alice's account is modified.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute