Cross‐site request forgery (CSRF) - NANDITHA90/PortSwigger-LABS GitHub Wiki

LAB - 1

CSRF vulnerability with no defenses

image

image

image

image

image

LAB - 2

CSRF where token validation depends on request method

image

image

image

image

image

image

image

image

image

image

image

image

LAB - 3

CSRF where token validation depends on token being present

image

image

image

image

image

image

image

image

image

LAB - 4

CSRF where token is not tied to user session

image

image

image

image

image

LAB - 5

CSRF where token is tied to non-session cookie

image

image

image

image

image

image

image

image

image

LAB - 6

CSRF where token is duplicated in cookie

image

image

image

image

image

image

image

LAB - 7

SameSite Lax bypass via method override

image

image

image

image

image

image

image

image

image

LAB - 8

SameSite Strict bypass via client-side redirect

image

image

image

image

Screenshot 2024-04-22 221823

Screenshot 2024-04-23 144322

image

image

image

LAB - 9

SameSite Strict bypass via sibling domain

image

image

image

image

image

image

image

image

LAB - 11

CSRF where Referer validation depends on header being present

image

image

image

image

image

image

LAB - 12

CSRF with broken Referer validation

image

image

image

image

image

image

image