Invalid CSRF Token after Posting Password

Not sure what you are trying to do (login or submit solutions). Anyways, the forms on the web site have a CSRF token included that gets transmitted with the form request. If you want to mimic the form submission of the web site, you have to include that CSRF token in your request. Just search for the parameter “token” in the web site source.
If you’re curious why there is such a token at all, I’m sure Google has plenty of answers for Cross Site Request Forgery and how to prevent it. ;)

Actually, speaking of the CSRF protection of DTW, I don’t think a token contained within a hidden input is a good idea. You can always retrieve it on the first request and then use it to submit a follow-up request.

I think it would be better to have the CSRF token as an HTTP request header instead as well as to have it removed from playground pages.

Hm, interesting point. Maybe start a separate discussion about that?

@niroth: This is probably something due to the transition to the new site. See also ticket https://defendtheweb.net/help/contact/47 (assuming you have access).

At least for now you do indeed need a CSRF token to solve it, but luckily the CSRF token is given in the page, just not in a form. Have a look if you can find it. (I’m not saying more here in case it is intentionally part of the challenge.)

@Keeper: Isn’t the idea of a CRSF token to provide protection exactly against those attackers that cannot do that first request (or at least get the result of that request)?

Sure, but most applications that store the CSRF token in the HTML associate it with the user’s session. That token then becomes valid up for the entirety of the session until it’s terminated. So in the event of an XSS vulnerability the attacker can obtain the token and then reuse it through the entire lifespan of the session (which if users opt for the remember me can be additionally extended).

As opposed to that, not having to handle the CSRF protection using a stateful token comes with its advantages. For example, checking the Origin header would disallow external hosts from sending requests on behalf of the end-user. Using a double submit cookie can also be considered better than just a single token in the DOM.

Anyhow, in the end, an XSS vulnerability would render any CSRF protection useless but my point is that one can still aim to limit the attack vectors/impact.

@dloser what do you mean with “just not in a form”? Sure about that?

@Keeper: Aim sure, but you already indicate that it doesn’t really solve anything, so… (and DtW’s tokens already seem to be unique per form per request). Anyway, off-topic.

@tehron: Pretty sure; have a closer look. Although there is also at least one in a form, I didn’t try that one because I expect it shouldn’t work.

@tehron , @dloser , @Keeper :

Thank you for the replies and information.

I’m still beating my head on this. I’ve used different formats that I have found but I still get invalid CSRF and, occasionally, invalid log in comes up with it.

This is the latest code I’ve used:

The value for the token changes each time, obviously,, but from what I can tell this should work. I’ve also tried including the token on the url, instead (https://defendtheweb.net/playground/http-method?_csrf=<8887efaf3bcb9579fd53f59d0650c408ed117fabca6b8aeb8ed96b6003d8118a>, with and without <> on the value). Adding it as meta (which isn’t where it goes, but at this point why not?). There must be something that I am outright not understanding. I am a complete novice and was pretty happy with my progress this far. Any further insight would be very much appreciated.

@dloser : I cannot view the ticket you linked. What was the content?

Yes, this level should be looked at by @flabbyrabbit .

@niroth: You can use the CSRF token in the meta tag.

I suggest that you read up on HTML. A useful link for heads up in this challenge: https://www.w3schools.com/html/html_forms.asp
Also look at how the CSRF protection at DtW works and combined with the above link you’ll be able to solve the challenge.

There is nothing more for you in the ticket, @niroth. I just like to have links between related things. ;)

Make sure you only include the token itself, not any whitespace, brackets or quotes (just hexadecimals).

Hello, the password is he encrypt or must he enter it as it is

As is, @Maximaxvoltaire.

thank you

I opened up Google Chrome Dev Tools to inpect the page, then injected this code into one of the div:

<form id="myform" action="https://defendtheweb.net/playground/http-method" method="POST">  
   <input type="hidden" name="password" value="8f1990c83a"/>  
</form>  
<script>  
   document.getElementById("myform").submit();  
</script>  

Since the page itself already has a csrf-token in its meta-tag, so I did not need to edit that.
After refreshing the page, there was no CSRF error, but it just reloads the same page showing the same
original instructions. Apparently nothing happened. Can anyone point me in the right direction - what am I missing here, please?

It is also not working for me.

The level works fine, you need to learn about CSRF protections to resolve your problem. There is already quite a lot of information in this thread.

Could anyone be so kind to leave me another hint about CSRF token? I read and understand about CSRF. I tried for 2 days putting the token into the form, into the mega tag but it does not work. Thank you in advance!

Take a look at how the other challenges pass/submit the CSRF token.

Thanks you so much. It took me a good 5 long days but I learned so much on the way.

Thanks to you I completed this level !
Thank you !

I tried to save the page as .html files. I added HTML Forms with POST method. But it always coming out CSRF Token Invalid. What step am I doing wrong?

can someone help me please, like others I’ve sent the password but there is the “invalid csrf token”, I ’ve learn about it and I have understand what is it but i still don’t know how can I be able to sent that passeword

use chrome inspector/firebug to scan the source for the word “token”. the first tag that comes up should be a “meta” tag. Bear in mind two things: firstly, a CSRF token is part of the form that is using it. second, a new CSRF token is generated on page load.

Hope this helps!

P.S. Ironically, I have been typing this message for so long that, when i submitted it said “Invalid CSRF token”

Use correct style of html <input type=“hidden” name=“token” id=“token” value=

Please note: if using “Inspect” that a new token is generated… search for it within the current inspection window.

Feel so stupid after completing this challenge, took me longer than it should have :) to everyone still struggling, read up as much as you can about the post method and csrf tokens, other than that there are more than enough hints given in this thread to assist you with completing this challenge, gl and keep grinding.