raider icon indicating copy to clipboard operation
raider copied to clipboard
verified publisher icon valeriansaliou

Add request forgery guard (CSRF)

Open x1ddos opened this issue 5 years ago • 2 comments

Without CSRF, it is possible create a hidden form like this one:

<form method="post" action="https://affiliates.crisp.chat/dashboard/account/form/account/">
<input type="hidden" name="email" value="[email protected]">
<input type="hidden" name="password" value="123">
<input type="hidden" name="notify_balance" value="0">
</form>

then submit it on any user click, on the page where the form is, log in and cash out.

x1ddos avatar Jul 07 '20 10:07 x1ddos

(precondition: account holder needs to be already logged in to affiliates.crisp.chat)

x1ddos avatar Jul 07 '20 10:07 x1ddos

Ref https://github.com/SergioBenitez/Rocket/issues/14

valeriansaliou avatar Jan 31 '21 15:01 valeriansaliou