Slack: csrf

2014-03-01T23:07:20
ID H1:2635
Type hackerone
Reporter appsecure_in
Modified 2014-04-06T19:42:58

Description

Hi,

Anti CSRF token to prevent CSRF attacks are missing on this link https://sehacure.slack.com/help/requests/new

A new request can be submitted by an malicious guy to the support team on behalf of the user.

The victim will never get to know.

1) Go to this link

https://sehacure.slack.com/help/requests/new

2) Open tamper data addon in firefox. Submit the data .

3) Tamper the reuqest there are no tokens in the requests.

Best regards, Anand