Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Add request forgery guard (CSRF) #4

Open
x1ddos opened this issue Jul 7, 2020 · 2 comments
Open

Add request forgery guard (CSRF) #4

x1ddos opened this issue Jul 7, 2020 · 2 comments

Comments

@x1ddos
Copy link
Contributor

x1ddos commented Jul 7, 2020

Without CSRF, it is possible create a hidden form like this one:

<form method="post" action="https://affiliates.crisp.chat/dashboard/account/form/account/">
<input type="hidden" name="email" value="another@example.org">
<input type="hidden" name="password" value="123">
<input type="hidden" name="notify_balance" value="0">
</form>

then submit it on any user click, on the page where the form is, log in and cash out.
@x1ddos
Copy link
Contributor Author

x1ddos commented Jul 7, 2020
edited
Loading

(precondition: account holder needs to be already logged in to affiliates.crisp.chat)

@valeriansaliou
Copy link
Owner

Ref rwf2/Rocket#14

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@x1ddos @valeriansaliou