Lets Hack SameSite : Strict

This is Day 17 of #cybertechdave100daysofcyberchallenge

In the last article Let's Hack SameSite: Lax, we have seen how to bypass SameSite: Lax restriction

Let's hack SameSite: Strict

Login with credentials given in the PortsSwigger lab

Login with wiener user

Let's change the email address and capture the request in BurpSuite

Send the request to Repeater

Captured the request in Repeater

What do we do now?

We know that SameSite=Strict does not allow to send Cookies in Request

How do we bypass it?

Let's think for a while

If the application is doing redirection, can we use this redirection request to achieve something?

Why redirection?

  • Because, if the application uses redirection, then the request will originate from within the app itself.
  • As a result, that request won't be treated as a Cross-Site Request

Now if we use redirection, that means it will be a GET request.

So, let's try to change, the HTTP request method from POST to GET in BurpSuite

Changing POST to GET in BurpSuite

And guess what, it worked !! We received 302 found and the email address has been changed to below

The email address is changed

This is a major milestone !!

What we need now is a redirection point in the application.

Let's add a new Post and see what happens.

Add New Post

Navigation to post/comment/confirmation page

We navigate to post/comment/confirmation page and what happens after that, let's analyse in BurpSuite

Let's capture the request in Burpsuite and analyse it carefully

Redirection Response

As seen in the above diagram, the redirection response is given below :

Location: /post/comment/confirmation?postId=9        
Actual Redirection

and when actual redirection happens to /post/comment/confirmation?postId=9, the response is shown above

There is a function called


Let's see the code for the redirectOnConfirmation function

Code for redirectionOnConfirmation

As seen in the above code, postId is read from url.searchParams

So that means, we can control postId parameter

Let's try to manipulate postId parameter


As shown above, we have added the postId value as ../my-account

Let's see what happens

postId is given value - ../my-account

So we used here postId=../my-account/

post/comment/confirmation page displayed

And we got a confirmation page as expected

Redirection happens to /my-account/

And guess what we have been redirected to /my-account

And as we can see the email mentioned on the my-account page, this means this request is carrying cookie information with it correctly otherwise, we wouldn't have been able to see the changed email here

Can we go one step further and use this redirection + cookie-carrying observation to craft an exploit?

First, try directly in Browser by typing below URL


What we get is

Missing Parameter: "Submit"

Even when the URL contains &submit=1, it says missing parameter: Submit

Let's URL encode (& character) and the updated URL is


And Guess what, below is the sequence of events

post/comment/confirmation page is displayed

post/comment/confirmation page is displayed

And redirection happens to my-account/change-email

and redirection happens to my-account/change-email with the email changed to - [email protected]

We have achieved what we wanted , we just performed CSRF attack successfully in spite of SameSite=Strict restriction

Now, craft an exploit instead of typing in the Browser URL and use the exploit server

Below is the exploit

<script>window.location = "https://0ac000de04b5b1f6818459d000850047.web-security-academy.net/post/comment/confirmation?postId=../my-account/change-email?email=megan%40customdomain.com%26submit=1";</script>        
Exploit Crafted

And as expected, we have solved the lab !!

Lab Is Solved

So what we did essentially is :

  • We found a redirection point within the application
  • We exploited that redirection point to include the URL which will eventually go to the /my-account/change-email endpoint
  • For that, we first verified whether changing POST to GET works in /my-account/change-email endpoint

So what should the defence here? How should we prevent this attack?

  • Allowing GET along with POST in /my-account/change-email endpoint

This is a very basic - /my-account/change-email endpoint should not allow GET.

This is a classic case of HTTP Method Tampering Without this loophole, this attack wouldn't have been possible

  • Allowing Redirection with the user-controlled input and no validation

Here user-controlled input is allowed in redirection, that is, we used the below redirection URL in the postId parameter


And there is no validation with respect to what values should be allowed in postId parameter

The only allowed value should have been numeric postId value.

That's it !!

So no matter what security mechanisms are available to prevent attacks, attackers always find loopholes in the application to carry out attacks

Happy Learning !!


Atul Joshi的更多文章

  • Reading This Month

    Reading This Month

    Reading this book for this month !! It is not an easy read as it talks about the threats in CyberSecurity in a detailed…

  • Security Is Next Six Sigma

    Security Is Next Six Sigma

    I was talking to one of my neighbours who is in the Software Industry for the last 9/10 years. He is an expert React…

  • God Always Have a Better Plan For us !!

    God Always Have a Better Plan For us !!

    I am writing in continuation with Part 1 and Part 2 of the series. In Part 2, we had come to a point where I decided to…

  • My Journey into Cyber Security Field - Part 2

    My Journey into Cyber Security Field - Part 2

    Continuing from where we left in the last article My Journey into Cyber Security Field - Part 1, I enrolled into an…

  • My Journey into Cyber Security Field - Part 1

    My Journey into Cyber Security Field - Part 1

    First of all , I initially thought why would anybody interested in my Journey into Cyber Security Field ? Will that be…

    2 条评论
  • Lets Hack SameSite : Lax

    Lets Hack SameSite : Lax

    This is Day 16 of #cybertechdave100daysofcyberchallenge In the last article Same Site Cookies, we have seen that What…

  • Another Gem - Is AI The Future Of Penetration Testing?

    Another Gem - Is AI The Future Of Penetration Testing?

    This is Day 15 of #cybertechdave100daysofcyberchallenge I happen to hit this amazing discussion - Is AI The Future Of…

  • Same Site Cookies

    Same Site Cookies

    In the CSRF article series, we saw what is CSRF (Lets go Cross Site - CSRF) and we attacked an application using CSRF…

  • Penetration Testing Phases

    Penetration Testing Phases

    This is Day 13 of #cybertechdave100daysofcyberchallenge In the last article Pen Testing - Detailed Overview, we have…

  • Sunday Treat !!

    Sunday Treat !!

    This is This is Day 13 of #cybertechdave100daysofcyberchallenge I happened to hit his podcast episode…

