< Back





7. SameSite Lax bypass via method override

This vulnerable web application provides us with a cookie, but doesn't specify the SameSite
restriction. We can discover this after logging in via the /login page. By default, if a website
doesn't specify the SameSite restriction, the browser will treat it as Lax. This leaves the user
and website vulnerable to CSRF attacks using GET requests.

Attempting to make a GET request against the /my-account/change-email endpoint will fail due to
the SameSite=Lax restriction. However, we can bypass this restriction by providing a alternative
_method override parameter, setting the _method to POST. This will allow us to successfully
change the email address of the currently logged in user.


Solution