EVIL-ATTACKER.EXAMPLE — CSRF: Add attacker to victim's MIO account

This page is on a DIFFERENT origin than dice.fm.

Sends fetch(text/plain, credentials:include) with raw GraphQL mutation.

The victim's SameSite=None _kim_key cookie is attached cross-site.


CSRF ATTACK: inviteUser mutation

Target: https://p-api.staging.dice.fm/graphql

Executing...

waiting...