VetraFi CSRF Proof of Concept

This page demonstrates that a cross-origin website can read sensitive user data from VetraFi's GraphQL API using the victim's authentication cookie.

The attack works because:

• The token cookie lacks SameSite and Secure flags
• The GraphQL endpoint accepts Content-Type: text/plain (bypasses CORS preflight)
• No Origin/Referer validation on the server