Secret: Login CSRF in Secret.ly

2014-04-17T22:39:04
ID H1:7936
Type hackerone
Reporter siddiki
Modified 2014-06-09T01:35:00

Description

https://www.secret.ly/_/login

POST /_/login HTTP/1.1 Host: www.secret.ly User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:28.0) Gecko/20100101 Firefox/28.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 55 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache {"Login":"user@vendor.tld","Password":"user_password_here"}

As you can see that this form does not contain any CSRF token,So it is vulnerable to Login CSRF attack.And also note that the login request is prone to bruteforce attack.You might want to impose some extra layer of security to prevent bruteforce attacks on SECRET.LY

Read this for more information about the requirement of CSRF tokens on login forms.