Security / Scenario
Is This Endpoint CSRF-Vulnerable?
Cookie auth, no token, weak SameSite, and a state change on GET. Read the setup and decide if an attacker page can ride the session.
- Difficulty
- Hard
- Format
- Scenario
- Points
- 200
- Estimate
- 15 min
// MISSION BRIEF
Your Mission
An attacker hosts a page that quietly submits requests to your app using the victim's logged-in session. Whether that works comes down to a few details: is there an anti-CSRF token, what SameSite is on the cookie, and is any state change reachable by GET?
Read the endpoints and cookie settings, decide what is exploitable, and specify the fix.
// FIRST CONTACT
Battle teaser
First artifact
Two endpoints and the session cookie
Which factors make these endpoints CSRF-vulnerable? (Select all that apply.)
- AA state-changing POST relies only on an ambient session cookie with no anti-CSRF token
- BA state-changing action is exposed via GET (triggerable by <img> / <a>)
- CNo Origin/Referer check on the sensitive requests
- DThe cookie has no / weak SameSite protection
Answers, scoring, hints, and the full battle stay sealed.
// SKILL TAGS
securitycsrfsamesitesession