Find This Easy CSRF in Every Website- A Sweet P4🔥
Thank you for 2K Followers, keep showing love :) Hi, Ajak Amico’s welcome back to another blog. Today I will explain how I found an Easy CSRF, which gave me Hall of fame. and you can exploit this in almost every organization,So before starting, if you haven’t subscribed to our channel, do subscribe, guys.
Follow our Youtube Channel: @ajakcybersecurity (360 Videos)
Follow on Instagram:AjakCybersecurity
Buy me Coffee: https://buymeacoffee.com/ajak
Recon:
As my favourite recon tool for subdomain enumeration https://subdomainfinder.c99.nl/ and opened every URL via bulk URL extension, and in this scenario, I was testing this website for almost 24 hours, found an auth bypass which I will share in the next writeup, and this CSRF flaw, so this page is a community page, where users shares their query about banking and stuffs, and other users can answer, including the employees. Tried IDOR but couldn’t exploit it, it threw me a 403 error.
And for every request and every feature, there was CSRF_TOKEN implemented, but at 2 endpoints, the API didn't have, CSRF_TOKEN
- Follow/Unfollow Hashtags.
- Delete Notification.
