Lab setup
Log in as victim in one browser session. Open attacker's HTML page (provided in lab) that auto-submits form to vulnerable endpoint.
PoC construction
Auto-submitting form with hidden fields matching server expectations. IMG tag for GET-based CSRF.
Fix validation
After exploit, identify missing synchronizer token. Understand SameSite=Strict cookie mitigation.