Cross-Site Request Forgery (CSRF) in fobybus/social-media-skeleton
Reported on
Aug 14th 2023
A Cross-site request forgery (CSRF) attack is a type of malicious attack whereby an attacker tricks a victim into performing an action on a website that they do not intend to do. This can be done by sending the victim a malicious link or by exploiting a vulnerability in the website.
For example, an attacker could send a victim a malicious link that looks like it comes from a legitimate website. When the victim clicks on the link, it will submit a request to the website to transfer money from the victim's account to the attacker's account. The victim would not have intended to do this, but they would have been tricked into doing it by the attacker.
--POC --
https://drive.google.com/file/d/1cwVSdlxzRLEMYjoDzlZlHQR1iGh2O263/view?usp=drive_link
Impact
The attacker could use the victim's email address to impersonate the victim. This could be used to commit fraud or to damage the victim's reputation
Use a CSRF token: A CSRF token is a randomly generated value that is used to authenticate requests to a website. This token is added to every request that is made to the website, and the website checks to make sure that the token is valid before processing the request. This is the most effective way to protect against CSRF attacks
