## Apprentice Level - βœ… [[1. CSRF vulnerability with no defenses]] ## Practitioner Level - βœ… [[2. CSRF where token validation depends on request method]] - βœ… [[3. CSRF where token validation depends on token being present]] - βœ… [[4. CSRF where token is not tied to user session]] - βœ… [[5. CSRF where token is tied to non-session cookie]] - βœ… [[6. CSRF where token is duplicated in cookie]] - βœ… [[7. SameSite Lax bypass via method override]] - βœ… [[8. SameSite Strict bypass via client-side redirect]] - βœ… [[9. SameSite Strict bypass via sibling domain]] - βœ… [[10. SameSite Lax bypass via cookie refresh]] - βœ… [[11. CSRF where Referer validation depends on header being present]] - βœ… [[12. CSRF with broken Referer validation]]