Juicy Shop
CSRF on Email Change
Vulnerability
The change-email endpoint mutates state but is authorised only by the ambient session cookie. Browsers attach that cookie automatically to cross-site requests, so an attacker can host a page that auto-submits a form to this endpoint; the victim's browser sends their cookie and the email is changed without consent. Capturing the account email is a common precursor to a full account takeover via password reset.
Exploit Steps
- Log in as a victim user in one tab to establish a session cookie
- Visit an attacker page that auto-submits a POST to /account/email
- The browser attaches the victim's session cookie automatically
- The email is changed to the attacker's address, enabling a password-reset takeover
Tools: a malicious HTML page, browser devtools, Burp Suite
Mitigation & Solution
Require a per-session anti-CSRF token on every state-changing request and verify it server-side; the cross-origin attacker cannot read it. Set session cookies to SameSite=Lax or Strict as a strong second layer. Never change state on GET. Referer checks and CAPTCHAs are weaker, bypassable substitutes.
Coding Challenge
Find It
File: apps/juicy-shop/src/security-examples/csrf-email-change.ts
Click the line that contains the vulnerability: