Security / Scenario

Is This Endpoint CSRF-Vulnerable?

Cookie auth, no token, weak SameSite, and a state change on GET. Read the setup and decide if an attacker page can ride the session.

Difficulty
Hard
Format
Scenario
Points
200
Estimate
15 min

// MISSION BRIEF

Your Mission

An attacker hosts a page that quietly submits requests to your app using the victim's logged-in session. Whether that works comes down to a few details: is there an anti-CSRF token, what SameSite is on the cookie, and is any state change reachable by GET?

Read the endpoints and cookie settings, decide what is exploitable, and specify the fix.

// FIRST CONTACT

Battle teaser

First artifact

Two endpoints and the session cookie

Which factors make these endpoints CSRF-vulnerable? (Select all that apply.)

  1. AA state-changing POST relies only on an ambient session cookie with no anti-CSRF token
  2. BA state-changing action is exposed via GET (triggerable by <img> / <a>)
  3. CNo Origin/Referer check on the sensitive requests
  4. DThe cookie has no / weak SameSite protection
Answers, scoring, hints, and the full battle stay sealed.

// SKILL TAGS

securitycsrfsamesitesession