CSRF Vulnerability in OopsSec Store's Next.js Admin Routes Despite `sameSite: "lax"` Cookies

The OopsSec Store, an intentionally vulnerable e-commerce application for security training, exposes a CSRF vulnerability in its Next.js admin routes despite using sameSite: "lax" cookies. The PATCH /api/orders/:id endpoint authenticates via an authToken cookie without additional CSRF protections like token validation or Origin/Referer checks, allowing same-origin or cross-site requests to modify order statuses. An attacker can exploit this by tricking an authenticated admin into visiting a malicious page, which sends a forged POST or PATCH request with credentials: "include" to update orders. The vulnerability returns a flag (OSS{cr0ss_s1t3_r3qu3ry_f0rg3ry}) upon successful exploitation, demonstrating the attack. The lab is deployable via Docker or npm and runs on http://localhost:3000. No CVE ID or specific dates were mentioned in the article.