valeriansaliou / raider

🐎 Affiliates dashboard. Used by affiliates to generate tracking codes and review their balance.
https://crates.io/crates/raider-server
Mozilla Public License 2.0
158 stars 35 forks source link

Add request forgery guard (CSRF) #4

Open x1ddos opened 4 years ago

x1ddos commented 4 years ago

Without CSRF, it is possible create a hidden form like this one:

<form method="post" action="https://affiliates.crisp.chat/dashboard/account/form/account/">
<input type="hidden" name="email" value="another@example.org">
<input type="hidden" name="password" value="123">
<input type="hidden" name="notify_balance" value="0">
</form>

then submit it on any user click, on the page where the form is, log in and cash out.

x1ddos commented 4 years ago

(precondition: account holder needs to be already logged in to affiliates.crisp.chat)

valeriansaliou commented 3 years ago

Ref https://github.com/SergioBenitez/Rocket/issues/14