Docs/csrf admin order update

[kOaDT]

Description

Adds a standalone writeup for the CSRF vulnerability on the admin order update endpoint (POST / PATCH /api/orders/:id) and improves the educational debrief shown to the player when the CSRF exploit page fires successfully.

The writeup walks through the lab setup, the phishing flow via /exploits/csrf-attack.html, retrieval of the flag from the response logged to the console, an analysis of the vulnerable handler and sameSite=lax cookie, and three layered remediations (strict cookie, CSRF token with custom header, Origin allowlist).

The exploit page's success alert() was rewritten so the player understands they are playing the victim Charlie Gullible (not the attacker): it explains in plain language that the page silently sent a POST to OopsSec Store using their existing admin session, why the cookie was attached (sameSite=lax), which server-side checks were missing (CSRF token, Origin, Referer), and where to find the flag (browser console).

Type of change

• Bug fix
• New feature (e-commerce site improvement)
• New vulnerability / flag
• Walkthrough / writeup
• Documentation update
• Other (please describe):

Testing done

• Ran the lab locally with npm run dev and logged in as admin.
• Loaded /exploits/csrf-attack.html and clicked the call-to-action button; verified the POST /api/orders/ORD-003 request fires with credentials: "include", the authToken cookie is attached, the order status flips to DELIVERED, and the new alert text is displayed.
• Verified the flag OSS{cr0ss_s1t3_r3qu3st_f0rg3ry} is logged to the DevTools console under Flag: after dismissing the alert.
• Reproduced the same request manually from the DevTools console (the alternative path documented in the writeup) and confirmed identical behavior.
• Verified the writeup renders correctly in the Astro blog (docs/) with the three referenced images (admin.png, phishing.png, pwned.png) loading from assets/images/csrf-admin-order-update/.

Checklist

• Documentation updated (if applicable)

[github-actions]

Thank you @kOaDT for contributing once again!

📊 PR overview

Files changed	Additions	Deletions	Size
5	+210	-1	L

📝 Before review

To help maintainers review your changes efficiently, please ensure that:

• The PR description clearly explains what was changed and why
• The PR checklist has been filled out
• All existing tests continue to pass
• New tests have been added for any new functionality

📖 Please review our Contributing Guidelines and Code of Conduct.

✅ Continuous Integration

Two CI workflows will run automatically on this PR:

• Code Quality — linting and formatting checks
• Exploitation Tests — ensures vulnerabilities and flags work as expected

You can follow their progress in the Checks tab.

🤝 A note on collaboration

We value respectful and constructive interactions. Whether you are a contributor or a reviewer, please be patient, kind, and open to feedback.

---

A maintainer will review your changes as soon as possible. If you have any questions, feel free to ask in this thread.

kOaDT