Wow. It is really amazing video. very Nice. Thanks.

can you please tell why was value of tracking id was removed here?

what is the purpose of scripting it in python??? i mean, same vulnerability on different website would be designed differently. So, why would we automate it in python when our python code is only gonna work on one specific website that also wehen the URL redirection on the website is gonna be the exact same as wrrittein in our code.

not work with script

Hey @RanaKhalil, In stateless applications, how is the validation done? To check if the tokens provided are associated with the user's session and not an attacker's tokens sent with the user's session.

Rana Doing Great work....lots of love and support from india

00:05 - Exploiting CSRF vulnerability in email change functionality. 01:47 - Exploring CSRF vulnerability in email changes using Burp Suite. 03:36 - Exploring CSRF vulnerability with matching CSRF token and cookie. 05:24 - Exploring CSRF vulnerability in stateless applications with double submit defense. 07:01 - Exploring a CSRF attack using duplicate tokens in cookies. 08:50 - Demonstrating CSRF attack with duplicated tokens in cookies. 10:25 - Demonstrates a CSRF attack using header injection and error handling. 12:21 - Demonstrating a CSRF attack using duplicated tokens.

00:05 - Lab #5 in the CSRF module covers CSRF where token is tied to a non-session cookie. 02:26 - CSRF attack can lead to a full compromise of the user's account. 04:42 - CSRF token and CSRF key cookie need to be tied together for proper defense against CSRF attacks. 07:28 - CSRF token and csrf key are tied together 10:06 - To exploit the CSRF vulnerability, we need to inject the CSRF key cookie and send a CSRF attack with a known token. 12:45 - Adding a new cookie called 'last search term' allows the user to set their own cookie. 15:12 - Exploiting CSRF by changing form values and submitting form with auto submit script 17:36 - The video demonstrates a CSRF attack using a non-session cookie.

You have some of the best walkthroughs on portswigger, well done!

00:07 - Exploring CSRF vulnerability in email change functionality. 01:05 - Demonstrating CSRF exploitation using Burp Suite Pro 02:06 - Illustrates vulnerabilities in email change functionality through CSRF attacks. 02:59 - CSRF tokens can be bypassed depending on implementation and methods used. 03:48 - CSRF token removal shows backend vulnerability to CSRF attacks. 04:43 - CSRF vulnerability arises due to optional token validation. 05:41 - Automated form submission for CSRF exploitation is demonstrated. 06:33 - Successfully exploited CSRF vulnerability in the lab exercise.

00:05 - Exploring CSRF vulnerability in email change functionality. 01:37 - Setting up Burp Suite to test CSRF vulnerabilities. 03:02 - Changing the email can fully compromise an account via CSRF. 04:22 - CSRF vulnerabilities may occur with improper request method handling. 05:50 - Test shows GET requests can change data due to CSRF vulnerability. 07:10 - Application is vulnerable to CSRF due to method-dependent token validation. 08:48 - Demonstrating CSRF attack using Burp Suite Pro and custom scripting. 10:14 - Demonstrating a CSRF attack by changing an email address unnoticed.

This is actually a very detailed video emphasizing on business logic flaws and its impacts. Thank you,Rana!

طب انتى واحدة عربية وبتتكلمى بالانجليزى لييييييييييييه يعنى من كتير المحتوى الى باللغة العربية

i did but when i click view exploit it runs correctly but when i click to deliver exploit to victim its not working what is the reason ?

thanks you!

I can't find lab link.

Hello, I am a beginner in penetration testing, And I was so excited in this field , but the SQL Injections is very boring to me, because I can't understand it well.

😢thank you

Nice juice

Thanks for the scripting section

Awesome explanation, thank you very much! There's one thing I'm missing here. What is the proper configuration? Suppose i have dynamic env and i need to allow multiple domains... Some of them do need the Credentials header, some don't. What would you recommend?