HACKR.GG
LabsAccount Settings
CSRFEasy

Account Settings

Crapazon's account settings form has no CSRF token. Any page can silently change Alice's email on her behalf.

↗ View walkthrough
// Machine control
Checking session...
// Submit flag