This lab's change email function is vulnerable to CSRF. To solve the lab, perform a CSRF attack that changes the victim's email address. You should use the provided exploit server to host your attack.
You can log in to your own account using the following credentials: wiener:peter
Approach
After logging in as the "wiener" user, I intercepted the change email request and sent it to repeater for further analysis:
I tried to change the method to GET, but it only accepts POST requests:
HTTP/2405 Method Not AllowedAllow:POSTContent-Type: application/json; charset=utf-8X-Frame-Options:SAMEORIGINContent-Length:20"Method Not Allowed"
My goal was to change the victim's email address through a CSRF attack. However, since the SameSite LAX restriction is present, a POST request won't append the cookie, thus preventing the CSRF attack. To bypass this, I needed to send a GET request and override the request method in the change email form.
To achieve this, I used the _method parameter to override the method, ensuring that the request to change the email would be sent correctly. Here’s the payload I crafted:
This payload effectively bypasses the SameSite LAX protection by using a GET request while overriding the method to POST. By clicking Store and Deliver exploit to victim, I confirmed that the lab was solved, indicating that the victim's email address was successfully changed.