Stripo Inc: csrf bypass using flash file + 307 redirect method at plugins endpoint

ID H1:766205
Type hackerone
Reporter qotoz
Modified 2020-02-10T08:38:16


Hi Security team,

i have found that the request sent to$userid$/plugins don't have any protection against csrf attacks as the server only validates that the content type is application/json and this can be bypassed using the flash file + 307 redirect technique

Steps To Reproduce:

  1. login to your account at
  2. visit
  3. use this link as php redirector
  4. in the request headers : Content-Type: application/json;charset=UTF-8
  5. the payload

{"email":"","name":"csrf poc","webUrl":"csrf poc "}

Watch the network traffic from the network tab on the Devtools

and go back to and refresh the site you'll find all the application data have created

all these steps would be integrated together and performed by the attacker's server

i am attaching a poc video declaring the steps {F671826}

Supporting Material/References:


attacker can send request to create an application in behalf of user