PortSwigger: SameSite=Lax Bypass via Method Override

Modern browsers default to SameSite=Lax for cookies, making some CSRF exploits more difficult.

This exploit uses request-method confusion to allow the cookie to be sent via GET while still appearing as a POST request to the handler:

This is dependent on the target framework allowing the request-type override inside of the form.