Overview
Change Password (CSRF) focuses on a state-changing account action that can be triggered without strong request integrity protection.
This lab introduces Cross-Site Request Forgery through a password change workflow, where a valid session is not enough if the user did not intentionally initiate the request.
Security Impact
CSRF in password workflows can lead to account disruption, unauthorized account changes, loss of access, and follow-on compromise when an attacker can cause a victim's browser to submit a trusted request.
Vulnerability Scope
Password changes, email updates, payment actions, preference changes, admin settings, and legacy forms are exposed when they rely only on cookies for authentication.
Lab Focus
The lab focuses on state-changing requests, why CSRF tokens and same-site protections matter, and how user authentication differs from user intent.