Slack: csrf

ID H1:2635
Type hackerone
Reporter appsecure_in
Modified 2014-04-06T19:42:58



Anti CSRF token to prevent CSRF attacks are missing on this link

A new request can be submitted by an malicious guy to the support team on behalf of the user.

The victim will never get to know.

1) Go to this link

2) Open tamper data addon in firefox. Submit the data .

3) Tamper the reuqest there are no tokens in the requests.

Best regards, Anand