CSRF: build the exploit, then the defense

Build a deliberately CSRF-vulnerable cookie-session web app and a separate attacker origin, exploit it end-to-end, then harden it with SameSite, a CSRF token, and an Origin check — proving with a real cross-origin attacker page that every documented vector fails after hardening.

• Stand up a small cookie-session app (your stack of choice) on origin A with a login and at least two state-changing endpoints: a POST /transfer (or change-email) and a GET /account/close that actually mutates. Use a session cookie with NO SameSite attribute to start.
• Stand up a separate attacker origin B (different host/port) serving an attack page: a hidden auto-submitting form to POST /transfer, an image/link triggering GET /account/close, and an auto-submitting login form for the login-CSRF case.
• Demonstrate the working exploits while logged into A: capture proof (server logs / DB diff / screen recording) that the cross-site POST, the GET side effect, and login CSRF each succeed with the victim's session attached.
• Add explicit SameSite=Lax to the session cookie and re-run all exploits. Document which now fail (cross-site POST) and which still succeed (GET state-change, and the login-CSRF / SameSite=None cases if present), explaining each outcome.
• Implement a real token defense on every state-changing route: a synchronizer token (per-session, stored server-side, embedded in forms / required in a header) for the server-rendered flows, or an HMAC-signed double-submit for any stateless/API route. Cover the login form with a pre-session token.
• Move every mutation off GET onto POST/PUT/PATCH/DELETE behind the token check, so GET /account/close no longer mutates.
• Add an Origin check (fall back to Referer) on state-changing routes as a defense-in-depth layer, rejecting foreign origins.
• Re-run the full attacker suite from origin B and capture proof that every exploit now fails — and note, for each, WHICH layer stopped it.

• A before/after exploit log: for each vector (cross-site POST, GET side effect, login CSRF) show it succeeding pre-hardening and failing post-hardening, with the server response/status as evidence — observed, not asserted.
• A defense matrix mapping each vector to the layer that stops it (SameSite, token, GET-to-POST move, Origin check) and noting which layers are redundant defense-in-depth versus the load-bearing one.
• The token defense is shown to reject a forged request that omits or guesses the token, and to accept a legitimate same-origin request — both demonstrated, not claimed.
• A one-paragraph write-up explaining why SameSite alone was insufficient and which single layer would have been the minimum viable defense if you could keep only one.