Step 1) Click login to generate a session cookie


login

Step 2) Try the change-email feature


login to see the feature

Step 3) Run the attacker links and check in the DevTool the results


Account takeover 1: read session cookie (this will not work due to the httponly flag)

Account takeover 2: change email (this will not work due to the missing anti-csrf flag)

Account takeover 3: change email with anti-csrf token (this should work)