Juicy Shop

CSRF on Email Change

Session SecurityA01:2021 – Broken Access Controlmedium

Vulnerability

The change-email endpoint mutates state but is authorised only by the ambient session cookie. Browsers attach that cookie automatically to cross-site requests, so an attacker can host a page that auto-submits a form to this endpoint; the victim's browser sends their cookie and the email is changed without consent. Capturing the account email is a common precursor to a full account takeover via password reset.

Exploit Steps

  1. Log in as a victim user in one tab to establish a session cookie
  2. Visit an attacker page that auto-submits a POST to /account/email
  3. The browser attaches the victim's session cookie automatically
  4. The email is changed to the attacker's address, enabling a password-reset takeover

Tools: a malicious HTML page, browser devtools, Burp Suite

Mitigation & Solution

Require a per-session anti-CSRF token on every state-changing request and verify it server-side; the cross-origin attacker cannot read it. Set session cookies to SameSite=Lax or Strict as a strong second layer. Never change state on GET. Referer checks and CAPTCHAs are weaker, bypassable substitutes.

Coding Challenge

Find It

File: apps/juicy-shop/src/security-examples/csrf-email-change.ts

Click the line that contains the vulnerability:

Fix It