logo
DATABASE RESOURCES PRICING ABOUT US

gettransfer.com Cross Site Request Forgery vulnerability

Description

Open Bug Bounty ID: OBB-1024190 Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[gettransfer.com](<https://gettransfer.com>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[CSRF (Cross-Site Request Forgery)](<https://www.owasp.org/index.php/Cross-Site_Request_Forgery_\(CSRF\)>)** / CWE-352 CVSSv3 Score:| 8.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **Auntor ** Remediation Guide:| **[OWASP CSRF Prevention Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAIjElEQVR4nO3cXUhTbxgA8ONmctSzdLlNXZM2iZKI6mKYhZV4EX0MMUqKWlkUBmGyRkl5USsvFMWgD8ybQL3pLmJXIkJgMsJsnfz+QraZ84NtNTvalLn9Lw4cDufLOT26/j2/q/Oe7X3f53le6XXvccWFw2EEAAAAEIFkqwMAAADwvwV7DAAAALHAHgMAAEAssMcAAAAQC+wxAAAAxAJ7DAAAALHE7h6j0+m+f//O1wRRW2clYSEAAJGL0T2mr68vFAodPHiQswmits5KwkIAANZklT3G6XTKZDLOl/x+f01NDV9znaxWa1FREV8zcqIGKeDevXuJiYktLS2bMNeaRF3JDekukk1bVgDAmoUFORwODMMieUngnVHIzc1tb2/na0ZO1CD5eDweiUSC43gwGBR7rrWKupIb0l0km7OsAIAoxG/1Hsdhenp6dHS0oKCAsxn7CIJISkqKwQOldVbyr1sIAMCWi+h5zIsXL3Q6XVpa2tWrV/1+P4Igfr9fq9USBBEXF9fS0kJvPn/+XCaT1dfXp6eny+Xy0tLSP3/+kON8+fLl2LFjMpls586d58+fHxoa4pzOarWePHly27Zt7Ob09PTZs2dlMplOp2toaJDL5eR7lpaWbt68KZPJdu3a9eTJk5WVlUiCrKmpUSqVmZmZb9++pSI8cuRIYmKiUqksKSmZmpoiTwsbGhp0Op1cLr9y5QpZAb6MvF4vfVLOwMgx2bNTVlZWHj16lJ6enpycXFJS4vV6EQRZWFi4ffu2UqnMysp6+vQpfSgyvOTk5IsXL3q93gcPHiiVyrS0tBs3biwsLHAWViAwvmTp3dmFEoic8yZnRoyzWafTSS0xX2yMVV7lRxkAsLlW32MIgsBx3GazdXd3u93uhw8fIgiSkpIyPDyMYVggEDAajfTmuXPnCILo7u7u6enp6emx2+11dXXkUAaD4fr16y6Xq6urKz8/H0VRzhkFHsaUl5cnJCSMj493dHS0trZS73n27Nni4mJvb29bW1tnZ2dTU1MkQQ4PD/f39zc3N+fn55Pj2O32srKymZmZ/v5+jUZTXl5OVqC3t5esgMvlqqqqouZlZ5SWlkaflDMwckz27JS6urqOjo6Ojo7R0VG1Wj04OIggSEVFhdvtttvtbW1tVqu1sbGRvkBdXV04jrvd7pycHI/H09vb+/nzZ4fDQY+WXkmBwPiSpXfnLBRf5Jw3BTLiwxkbY5WFRwAAbDbhozSHw4EgyPz8PNm02WzZ2dnUS5yPOsguLpeLvP/+/Xu9Xh8Oh30+X3x8fCAQYM/icrm0Wi15TRAEhmE+n4/dDAaDKIpOTExQI6emppLXCoWCIAjyGsfx3NzcSIKkZuE0Pj6ekZHBqEBXVxdVAb6M6JNyBrbq7CqVym630+8Eg0EMw6jcrVZrXl4eNdSvX7+o8CQSyeLiItm02Wy7d+8mrxmFFQiMM1lGd3ah+CLnu8mZEXu9qCUWiA2exwAQs1Z/HoNhGHV8oVarfT7fql1QFM3KyiKvc3JyXC4XgiByufzChQt5eXmFhYVqtVqv1584cYIa1mazkdft7e25ubnUCQm9OTc3FwqFdDodNTJ58fPnT4/Ho9VqyWYoFIqPjygvahbKt2/fKisrBwcHl5eXQ6FQKBRiVECj0VAVEMho1cA4Zyf5/X6fz3fgwAH6zbm5ueXlZXru5L+55FApKSlUeNu3b09MTCSbarXa4/GQ1/RKCgfGmSxjXTgLxRk5503hjPjwxQYAiFmb+sz/3bt3X79+7e/vd7vdZrP56NGjr169QhBEKpVmZmaS74nir5YDgYBEIunp6aH+oZRIovzeT3Fx8a1bt5qamlAU/fHjx6lTp6LLaP2BSaXS6FLgQ69kFIExFkKgUJyRb3g6AIC/g/DHHOGzi0jOyj58+ECelTHgOK7RaBg3g8GgQqGgzk/YTRRFHQ4H2aSflWEYxj6NEQ6SfboyNzcXHx9PjzA1NVWgAnwZ0btwBrbq2Y5KpcJxnH5H4KxMIDyqyahkhIHxdecsFF/kfDc5M5qfn5dIJPQDMYGfN76XAACxI/rv+SsUikAgMDY2xtk0m81TU1MDAwMWi8VgMCAIMjQ0dPr06Y8fP3q93snJydevXx86dIgabWlpCUEQm82WkZFBnZ8wmlKp1GAwmEwmp9NJjkx1NxqNd+7cGRgYmJ6erq+vr66ujiRIBqVSuWPHjjdv3vj9/rGxMfr4nIQzEg6MjawAyWQylZWV9fX1TU1N3b1799OnT1Kp9NKlSyaTaXJyksz98uXLwuHRMSq5psDY3QUKxY6c7yZnRjKZTK/Xm83m2dnZsbEx8g9MViW8rACArSS8BQn/mmyxWJKSkpqbm+nNhoYGDMNqa2tVKlVqauq1a9fIR9DLy8sWi2XPnj0JCQkqlcpoNM7MzDBmuX//flVVFTU+oxkOh2dmZgwGA4ZhWq22traWCiYQCJhMJo1Gk5SUdObMGfov7AJBsvPt7OzU6/UoimZkZJjNZuHPMXwZ0btwBsb+vZtxJxgMVlZWKhQKFEWLi4s9Hk84HCYIoqysTKFQaDQai8VCfsEzws8x7EpGEphAd3ahBCLnvMmX0fj4eGFhIYZh+/bte/nyZSSfY9irDACIEXHhcHhjNy2n07l///7fv39H0Xfv3r2tra2HDx/mbDKMjIwcP358dnY2+lj/GcKVFLs7AOCfFVvf8x8ZGRFoMuA4np2dLXJE/xPClRS7OwDgnxVbe8yqqqur1Wp1UVHRxMREVVXV48ePtzoiAAAAvGL0//bnU1BQ0NjYqNFojEZjRUVFaWnpVkcEAACA18Y/jwEAAABIf9nnGAAAAH8R2GMAAACIBfYYAAAAYoE9BgAAgFhgjwEAACAW2GMAAACIBfYYAAAAYoE9BgAAgFhgjwEAACAW2GMAAACI5T+QOJEAcUDg4QAAAABJRU5ErkJggg==) --- Research's Comment: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAFcUlEQVR4nO3cX0hTbxzH8eNatv8qrUDc8A9hDiLqIiko8aabXQaVWFCUFAwx6WrZqGUX9scuWiCSIwy6iC68EJIRXYjLLqLWWIzsxtqSBDFlOseZTfe7eH6/w/BP2691+sGP9+tqz/c553me44UfznPOVpLNZiUAAFSg+a8XAAD43yJjAABqIWMAAGohYwAAaiFjAABqIWMAAGohYwAAaiFjAABqKShjHj9+7HA49Hq9w+F48OCBUl9cXLx06VJ1dbVer9+9e/ft27dXVlYkSYrFYiU57Hb7lStXfvz4Ic5a0yvcv38/d8b1B5SUlGy2vFgsZjabf+XqAQBqyp8xAwMDHo+nt7d3amqqv7/f5/PdvHlTdJ07dy4ej7948SIej/f19QUCgVAoJLpMJpMsy7Isp1KpkZGR0dHR7u5uZUylV9He3p47qShOTEyUl5crx/y+qwYA/AkleX9Lxm63P3r06OjRo6L5/v37w4cPz8zMaDQai8UyOztbVla25pRYLLZnz57FxUWlMj4+3tbW9vHjxw17NxOLxfbt2zc/P5/3sAIHBAD8SXnuYxKJxNTUVHNzs1LZv3//6OioJEmrq6uSJGm12kKm0el0v+VGZGlp6eLFizt27LDb7Tdu3BBbc7mi0ej27duDwaBoptPp8+fPm83m6urq69evr6ysiI21e/fu1dbWVlRUnDp1KpFIFL8wAMB6eTImmUzqdLqtW7fmFg8cOGA0Go1Go9PpbGlpGR8fX1pa+skgiUTC6/U6nc7il9vR0fHt27dQKBQIBIaHh/v6+tZMdOzYsVu3bh05ckRUuru7U6lUJBIJBAJjY2P9/f3ioiKRyOvXr9+8eROPx7u6uopfGABgA9mf+vLli8lk2qx3YWHB7XbX19drtdpdu3Z5vd5MJiPOkiTJ+o/S0tLW1tZkMqmMmdtrtVrb29s3m728vFxpZjIZk8k0OTkpmsPDwwcPHsxdpNPpdLlcuSNYrVZl3nA43NjYKGZfWFgQxVevXtXV1f38jwAA+DV5drq0Wm0mk9ms12w29/T09PT0pNPpUCh0+fLlTCYj3ggwGAzhcFiSpJcvX7rdbr/fr9frlROVXqVZSBzOzMwsLy/X1taKZkNDgwgM4erVq4FAwO/3K5X5+fnZ2dmamhrRXF1dFTt7JpNJeQ/NZrPNzc0VMjsA4N/Ks1cmXgBTXjsW3r17t2ZzbNu2bYcOHfL5fM+ePft7XI2mqqqqqqrqzJkzVqs1919/bq9QUVFR5GWkUqmhoaGnT5+63W7l+YosyxqN5u3bt+FwOBwORyKR3GADAKgtT8aUlZXZbLaxsTGlEo1Gm5qaxOc1SSPL8oY3PR6P586dO+l0usi17ty5s7S09PPnz6I5MTGh3KNoNJqhoaHjx483NjZ6PB5RrKysNBgMc3NzSphVVlYWuQYAQOHyfz/m2rVrZ8+eff78+ffv34PB4IkTJ7q6uoxG46dPn+rq6gYGBqanpxOJRDAYdLlcbW1t60c4efKkxWIZHBwscq1btmxpaWnp7Oz8+vVrNBr1er2tra2iS6fTORwOSZJ6e3v9fv+HDx9E/fTp0y6XKxqNTk9P3717V/lmDwDgTyjkoc3g4GBDQ4NOp6uvr/f5fEp9ZGSkubnZYrEYDIa9e/c+fPhQ1Ne/KfDkyZOamprl5eUNezez5pl/NptNJpMXLlywWq02my33FYPcATs6OpqamsRnWZY7OzttNpvBYHA6nZOTk2sOXj8FAOB3yf8dTAAAfg2/iQkAUAsZAwBQCxkDAFALGQMAUAsZAwBQCxkDAFALGQMAUAsZAwBQCxkDAFALGQMAUAsZAwBQCxkDAFALGQMAUAsZAwBQy19vMvYso4mvMwAAAABJRU5ErkJggg==) --- **Screenshot Before CSRF:**![gettransfer.com vulnerability](/twimages/screen-1024190-1.jpg) **Screenshot After CSRF:**![gettransfer.com vulnerability](/twimages/screen-1024190-2.jpg) ### Coordinated Disclosure Timeline Vulnerability Reported:| 26 November, 2019 19:02 GMT ---|--- Vulnerability Verified:| 27 November, 2019 07:32 GMT Website Operator Notified:| 27 November, 2019 07:32 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 27 November, 2019 07:32 GMT Vulnerability Fixed:| 27 November, 2019 09:44 GMT ---|---