This vulnerable web application provides us with a cookie, but doesn’t specify the SameSite restriction. We can discover this after logging in via the /login page. By default, if a website doesn’t specify the SameSite restriction, the browser will treat it as Lax. This leaves the user and website vulnerable to CSRF attacks using GET requests.
Attempting to make a GET request against the /my-account/change-email endpoint will fail due to the SameSite=Lax restriction. However, we can bypass this restriction by providing a alternative _method override parameter, setting the _method to POST. This will allow us to successfully change the email address of the currently logged in user.
Solution:
<script>
document.location =
"https://<LAB-ID>.web-security-academy.net/my-account/change-email?email=pwned%40evil-user.net&_method=POST"
</script>