CSRF Labs

Hello friends! Welcome to my twisted CSRF labs!
These are the CSRF labs with some of the sweetest cheese but you will have to work for it.

Here are some ground rules:

• CSRF 1 is supposed to be safe, please report all issues to info@thexssrat.com
• Each core CSRF lab now returns its own flag directly when you trigger the vulnerable workflow.
• Each lab includes guided hints and a "Why This Works" section so learners can reason about the flaw instead of just copying a payload.
• You can always go to the solutions file
• These challenges will get progressively harder

Recommended Order

Play the core sequence in order: CSRF 1, 2, 3, 4, 5. After that, move to the bonus transfer labs and the theme park workflow.

Difficulty arc: no token, weak token shape checks, predictable tokens, exact predictable tokens, then partial-match token validation.