🔓 CSRF Proof-of-Concept

Exploiting SameSite=None cookies on https://development-api.useholo.com

⚠️ These attacks use hidden HTML forms. Form submissions are "simple requests" — they bypass CORS preflight entirely. The browser sends them directly with cookies attached. No OPTIONS check. No CORS headers needed.
1Dev logs in from
localhost:3000
2Cookie set with
SameSite=None
3Dev visits this
malicious page
4Hidden forms fire
with dev's cookies 💀

Attack 1: Trigger Password Reset Email Real side-effect!

Fires POST /users/resend-set-password-email/:email via hidden form. This sends a real password-reset email to the target. No request body needed — the email is in the URL. Verifiable: the victim receives an email.

Attack 2: Create a Rogue User Account Creates real data!

Fires POST /users via hidden form. Creates a new user in the system under the dev's session. The attacker controls the name, email, and phone of the new account.

📖 Why do these work?

Mechanism HTML <form> submissions with method="POST" and enctype="application/x-www-form-urlencoded" are classified as "simple requests" by the browser. They do NOT trigger a CORS preflight OPTIONS check.


SameSite=None The cookie was set with SameSite=None, so the browser attaches it to every cross-origin request — including these form submissions from a completely unrelated origin.


Result The server receives a fully authenticated request. It has no way to know it wasn't initiated by the real user. The request executes. Data is created, emails are sent, state is mutated.


Fix Either keep SameSite=Lax (blocks cross-origin POST) or gate this behavior behind an env flag like ALLOW_LOCALHOST_COOKIES=true so it's explicit and intentional. Alternatively, add a CSRF token mechanism.